[GH-ISSUE #209] [Server] DNSSEC doesn't want to work #95

Closed
opened 2026-03-07 22:18:47 +03:00 by kerem · 7 comments
Owner

Originally created by @Darkspirit on GitHub (Sep 26, 2017).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/209

compiled with:

cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server --features tls,ring --force

/home/trustdns/config.toml

listen_addrs_ipv6 = ["2a01:4f8:c0c:2c12::50"]

[[zones]]
zone = "ikenmeyer.com"
zone_type = "MASTER"
file = "ikenmeyer.com.zone"
allow_update = true
enable_dnssec = true

[[zones.keys]]
key_path = "ikenmeyer.com.zone.csk.pem"
algorithm = "ECDSAP384SHA384"
signer_name = "ikenmeyer.com"
is_zone_signing_key = true
is_zone_update_auth = true
create_if_absent = true

/home/trustdns/ikenmeyer.com.zone

; replace the trust-dns.org with your own name
@               IN      SOA     dev.h.terrax.net. hostmaster.terrax.net. (
                                201709264       ; Serial
                                28800   ; Refresh
                                7200    ; Retry
                                604800  ; Expire
                                86400)  ; Minimum TTL
                        NS      dev.h.terrax.net.


@                A       127.0.0.1
                 AAAA    ::1

www              A        127.0.0.1
                 AAAA     ::1

first run

root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/
2017-09-26T18:59:56.257942782+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-26T18:59:56.258072832+00:00 INFO named:445 Trust-DNS 0.11.4 starting
2017-09-26T18:59:56.258117568+00:00 INFO named:452 loading configuration from: "/home/trustdns/config.toml"
2017-09-26T18:59:56.258330834+00:00 INFO named:147 loading zone file: "/home/trustdns/ikenmeyer.com.zone"
2017-09-26T18:59:56.397795606+00:00 INFO named:167 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl"
2017-09-26T18:59:56.523851494+00:00 INFO trust_dns_server::authority::authority:154 persisting zone to journal at SOA.serial: 201709264
2017-09-26T18:59:56.672726651+00:00 INFO named:182 loaded zone: ikenmeyer.com.
2017-09-26T18:59:56.672921735+00:00 INFO named:258 creating key: "ikenmeyer.com.zone.csk.pem"
2017-09-26T18:59:56.676741810+00:00 INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-26T18:59:56.677023788+00:00 INFO named:219 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-26T18:59:56.677287178+00:00 INFO named:506 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-26T18:59:56.677390379+00:00 INFO named:512 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 }
2017-09-26T18:59:56.677479414+00:00 INFO named:560 
2017-09-26T18:59:56.677534416+00:00 INFO named:561     o                      o            o             
2017-09-26T18:59:56.677588896+00:00 INFO named:562     |                      |            |             
2017-09-26T18:59:56.677642803+00:00 INFO named:563   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-26T18:59:56.677675391+00:00 INFO named:564     |    |    |  |   \     |         |  |  |  |   \   
2017-09-26T18:59:56.677719136+00:00 INFO named:565     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-26T18:59:56.677746525+00:00 INFO named:566 
2017-09-26T18:59:56.677807040+00:00 INFO named:550 awaiting connections...
2017-09-26T18:59:56.677832002+00:00 INFO trust_dns_server::server::server_future:203 Server starting up
^C

second run

root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/
2017-09-26T18:59:59.745453654+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-26T18:59:59.745504738+00:00 INFO named:445 Trust-DNS 0.11.4 starting
2017-09-26T18:59:59.745510561+00:00 INFO named:452 loading configuration from: "/home/trustdns/config.toml"
2017-09-26T18:59:59.745682229+00:00 INFO named:128 recovering zone from journal: "/home/trustdns/ikenmeyer.com.jrnl"
2017-09-26T18:59:59.746051871+00:00 INFO trust_dns_server::authority::authority:121 recovering from journal
2017-09-26T18:59:59.746139888+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com.
2017-09-26T18:59:59.746153931+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) }
2017-09-26T18:59:59.746200155+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com.
2017-09-26T18:59:59.746224058+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: NS, dns_class: IN, ttl: 86400, rdata: NS(Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }) }
2017-09-26T18:59:59.746279724+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com.
2017-09-26T18:59:59.746288178+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: SOA, dns_class: IN, ttl: 604800, rdata: SOA(SOA { mname: Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }, rname: Name { is_fqdn: true, labels: ["hostmaster", "terrax", "net"] }, serial: 201709264, refresh: 28800, retry: 7200, expire: 604800, minimum: 86400 }) }
2017-09-26T18:59:59.746336301+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) }
2017-09-26T18:59:59.746389760+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) }
2017-09-26T18:59:59.746454615+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) }
2017-09-26T18:59:59.746503246+00:00 WARN trust_dns_server::authority::authority:1129 attempt to sign_zone for dnssec, but no keys available!
2017-09-26T18:59:59.746512166+00:00 INFO named:143 recovered zone: ikenmeyer.com.
2017-09-26T18:59:59.746526255+00:00 INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-26T18:59:59.886663992+00:00 INFO named:219 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-26T18:59:59.886871343+00:00 INFO named:506 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-26T18:59:59.886907918+00:00 INFO named:512 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 }
2017-09-26T18:59:59.886923804+00:00 INFO named:560 
2017-09-26T18:59:59.886929563+00:00 INFO named:561     o                      o            o             
2017-09-26T18:59:59.886934524+00:00 INFO named:562     |                      |            |             
2017-09-26T18:59:59.886937829+00:00 INFO named:563   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-26T18:59:59.886940914+00:00 INFO named:564     |    |    |  |   \     |         |  |  |  |   \   
2017-09-26T18:59:59.886943989+00:00 INFO named:565     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-26T18:59:59.886947086+00:00 INFO named:566 
2017-09-26T18:59:59.886949786+00:00 INFO named:550 awaiting connections...
2017-09-26T18:59:59.886952854+00:00 INFO trust_dns_server::server::server_future:203 Server starting up
2017-09-26T19:00:20.442413314+00:00 INFO trust_dns_server::authority::catalog:43 request id: 48776 type: Query op_code: Query
2017-09-26T19:00:20.551246660+00:00 INFO trust_dns_server::authority::catalog:43 request id: 21180 type: Query op_code: Query
2017-09-26T19:00:20.688847592+00:00 INFO trust_dns_server::authority::catalog:43 request id: 46491 type: Query op_code: Query
2017-09-26T19:00:20.689019497+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17243 type: Query op_code: Query
2017-09-26T19:00:20.689083724+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17565 type: Query op_code: Query
2017-09-26T19:00:20.689127346+00:00 INFO trust_dns_server::authority::catalog:43 request id: 62546 type: Query op_code: Query
2017-09-26T19:00:20.689167497+00:00 INFO trust_dns_server::authority::catalog:43 request id: 10546 type: Query op_code: Query
2017-09-26T19:00:20.689206264+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3940 type: Query op_code: Query
2017-09-26T19:00:20.689241729+00:00 INFO trust_dns_server::authority::catalog:43 request id: 61451 type: Query op_code: Query
2017-09-26T19:00:20.689308424+00:00 INFO trust_dns_server::authority::catalog:43 request id: 60769 type: Query op_code: Query
2017-09-26T19:00:20.689349340+00:00 INFO trust_dns_server::authority::catalog:43 request id: 15629 type: Query op_code: Query
2017-09-26T19:00:20.689385603+00:00 INFO trust_dns_server::authority::catalog:43 request id: 64584 type: Query op_code: Query
2017-09-26T19:00:20.793592807+00:00 INFO trust_dns_server::authority::catalog:43 request id: 53951 type: Query op_code: Query
^C

dnsviz scanned the zone in the second run and it isn't signed: http://dnsviz.net/d/ikenmeyer.com/e/178688396/dnssec/

This order seems wrong to me:

WARN trust_dns_server::authority::authority:1129 attempt to sign_zone for dnssec, but no keys available!
[...]
INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem"

Regarding

WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com.

$ dig SOA ikenmeyer.com @dev.h.terrax.net +short
dev.h.terrax.net. hostmaster.terrax.net. 201709264 28800 7200 604800 86400
$ dig NS ikenmeyer.com @dev.h.terrax.net +short
dev.h.terrax.net.
$ dig DNSKEY ikenmeyer.com @dev.h.terrax.net +short
257 3 14 8tUooEy/VAzAhMSxEHA1M8/x7ixcK2KOfmMXF6q8FSMhHClxuRU92isu DIuLUhXXszPYW8UrHTmVfHqXOiUebmnAUwgD/oC0phjX2RQ/VuetAex/ YyK8qqNtGbxYzvXW
Originally created by @Darkspirit on GitHub (Sep 26, 2017). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/209 compiled with: ``` cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server --features tls,ring --force ``` /home/trustdns/config.toml ``` listen_addrs_ipv6 = ["2a01:4f8:c0c:2c12::50"] [[zones]] zone = "ikenmeyer.com" zone_type = "MASTER" file = "ikenmeyer.com.zone" allow_update = true enable_dnssec = true [[zones.keys]] key_path = "ikenmeyer.com.zone.csk.pem" algorithm = "ECDSAP384SHA384" signer_name = "ikenmeyer.com" is_zone_signing_key = true is_zone_update_auth = true create_if_absent = true ``` /home/trustdns/ikenmeyer.com.zone ``` ; replace the trust-dns.org with your own name @ IN SOA dev.h.terrax.net. hostmaster.terrax.net. ( 201709264 ; Serial 28800 ; Refresh 7200 ; Retry 604800 ; Expire 86400) ; Minimum TTL NS dev.h.terrax.net. @ A 127.0.0.1 AAAA ::1 www A 127.0.0.1 AAAA ::1 ``` first run ``` root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ 2017-09-26T18:59:56.257942782+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-26T18:59:56.258072832+00:00 INFO named:445 Trust-DNS 0.11.4 starting 2017-09-26T18:59:56.258117568+00:00 INFO named:452 loading configuration from: "/home/trustdns/config.toml" 2017-09-26T18:59:56.258330834+00:00 INFO named:147 loading zone file: "/home/trustdns/ikenmeyer.com.zone" 2017-09-26T18:59:56.397795606+00:00 INFO named:167 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl" 2017-09-26T18:59:56.523851494+00:00 INFO trust_dns_server::authority::authority:154 persisting zone to journal at SOA.serial: 201709264 2017-09-26T18:59:56.672726651+00:00 INFO named:182 loaded zone: ikenmeyer.com. 2017-09-26T18:59:56.672921735+00:00 INFO named:258 creating key: "ikenmeyer.com.zone.csk.pem" 2017-09-26T18:59:56.676741810+00:00 INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-26T18:59:56.677023788+00:00 INFO named:219 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-26T18:59:56.677287178+00:00 INFO named:506 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-26T18:59:56.677390379+00:00 INFO named:512 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 } 2017-09-26T18:59:56.677479414+00:00 INFO named:560 2017-09-26T18:59:56.677534416+00:00 INFO named:561 o o o 2017-09-26T18:59:56.677588896+00:00 INFO named:562 | | | 2017-09-26T18:59:56.677642803+00:00 INFO named:563 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-26T18:59:56.677675391+00:00 INFO named:564 | | | | \ | | | | | \ 2017-09-26T18:59:56.677719136+00:00 INFO named:565 o o o--o o-o o o-o o o o-o 2017-09-26T18:59:56.677746525+00:00 INFO named:566 2017-09-26T18:59:56.677807040+00:00 INFO named:550 awaiting connections... 2017-09-26T18:59:56.677832002+00:00 INFO trust_dns_server::server::server_future:203 Server starting up ^C ``` second run ``` root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ 2017-09-26T18:59:59.745453654+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-26T18:59:59.745504738+00:00 INFO named:445 Trust-DNS 0.11.4 starting 2017-09-26T18:59:59.745510561+00:00 INFO named:452 loading configuration from: "/home/trustdns/config.toml" 2017-09-26T18:59:59.745682229+00:00 INFO named:128 recovering zone from journal: "/home/trustdns/ikenmeyer.com.jrnl" 2017-09-26T18:59:59.746051871+00:00 INFO trust_dns_server::authority::authority:121 recovering from journal 2017-09-26T18:59:59.746139888+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com. 2017-09-26T18:59:59.746153931+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) } 2017-09-26T18:59:59.746200155+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com. 2017-09-26T18:59:59.746224058+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: NS, dns_class: IN, ttl: 86400, rdata: NS(Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }) } 2017-09-26T18:59:59.746279724+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com. 2017-09-26T18:59:59.746288178+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: SOA, dns_class: IN, ttl: 604800, rdata: SOA(SOA { mname: Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }, rname: Name { is_fqdn: true, labels: ["hostmaster", "terrax", "net"] }, serial: 201709264, refresh: 28800, retry: 7200, expire: 604800, minimum: 86400 }) } 2017-09-26T18:59:59.746336301+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) } 2017-09-26T18:59:59.746389760+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) } 2017-09-26T18:59:59.746454615+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) } 2017-09-26T18:59:59.746503246+00:00 WARN trust_dns_server::authority::authority:1129 attempt to sign_zone for dnssec, but no keys available! 2017-09-26T18:59:59.746512166+00:00 INFO named:143 recovered zone: ikenmeyer.com. 2017-09-26T18:59:59.746526255+00:00 INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-26T18:59:59.886663992+00:00 INFO named:219 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-26T18:59:59.886871343+00:00 INFO named:506 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-26T18:59:59.886907918+00:00 INFO named:512 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 } 2017-09-26T18:59:59.886923804+00:00 INFO named:560 2017-09-26T18:59:59.886929563+00:00 INFO named:561 o o o 2017-09-26T18:59:59.886934524+00:00 INFO named:562 | | | 2017-09-26T18:59:59.886937829+00:00 INFO named:563 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-26T18:59:59.886940914+00:00 INFO named:564 | | | | \ | | | | | \ 2017-09-26T18:59:59.886943989+00:00 INFO named:565 o o o--o o-o o o-o o o o-o 2017-09-26T18:59:59.886947086+00:00 INFO named:566 2017-09-26T18:59:59.886949786+00:00 INFO named:550 awaiting connections... 2017-09-26T18:59:59.886952854+00:00 INFO trust_dns_server::server::server_future:203 Server starting up 2017-09-26T19:00:20.442413314+00:00 INFO trust_dns_server::authority::catalog:43 request id: 48776 type: Query op_code: Query 2017-09-26T19:00:20.551246660+00:00 INFO trust_dns_server::authority::catalog:43 request id: 21180 type: Query op_code: Query 2017-09-26T19:00:20.688847592+00:00 INFO trust_dns_server::authority::catalog:43 request id: 46491 type: Query op_code: Query 2017-09-26T19:00:20.689019497+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17243 type: Query op_code: Query 2017-09-26T19:00:20.689083724+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17565 type: Query op_code: Query 2017-09-26T19:00:20.689127346+00:00 INFO trust_dns_server::authority::catalog:43 request id: 62546 type: Query op_code: Query 2017-09-26T19:00:20.689167497+00:00 INFO trust_dns_server::authority::catalog:43 request id: 10546 type: Query op_code: Query 2017-09-26T19:00:20.689206264+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3940 type: Query op_code: Query 2017-09-26T19:00:20.689241729+00:00 INFO trust_dns_server::authority::catalog:43 request id: 61451 type: Query op_code: Query 2017-09-26T19:00:20.689308424+00:00 INFO trust_dns_server::authority::catalog:43 request id: 60769 type: Query op_code: Query 2017-09-26T19:00:20.689349340+00:00 INFO trust_dns_server::authority::catalog:43 request id: 15629 type: Query op_code: Query 2017-09-26T19:00:20.689385603+00:00 INFO trust_dns_server::authority::catalog:43 request id: 64584 type: Query op_code: Query 2017-09-26T19:00:20.793592807+00:00 INFO trust_dns_server::authority::catalog:43 request id: 53951 type: Query op_code: Query ^C ``` dnsviz scanned the zone in the second run and it isn't signed: http://dnsviz.net/d/ikenmeyer.com/e/178688396/dnssec/ * If you hover a bubble you can see the messages I quoted here: https://github.com/bluejekyll/trust-dns/issues/53#issuecomment-332020774 * There should be some blue lines inside the zone like here: http://dnsviz.net/d/ikenmeyer.eu/dnssec/ This order seems wrong to me: ``` WARN trust_dns_server::authority::authority:1129 attempt to sign_zone for dnssec, but no keys available! [...] INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem" ``` Regarding > WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com. ``` $ dig SOA ikenmeyer.com @dev.h.terrax.net +short dev.h.terrax.net. hostmaster.terrax.net. 201709264 28800 7200 604800 86400 $ dig NS ikenmeyer.com @dev.h.terrax.net +short dev.h.terrax.net. $ dig DNSKEY ikenmeyer.com @dev.h.terrax.net +short 257 3 14 8tUooEy/VAzAhMSxEHA1M8/x7ixcK2KOfmMXF6q8FSMhHClxuRU92isu DIuLUhXXszPYW8UrHTmVfHqXOiUebmnAUwgD/oC0phjX2RQ/VuetAex/ YyK8qqNtGbxYzvXW ```
kerem 2026-03-07 22:18:47 +03:00
Author
Owner

@bluejekyll commented on GitHub (Sep 26, 2017):

EDIT: I misread those logs. The output from the reload of the journal file is just mentioning the that the SOA doesn't exist up until that is read from the journal, then it goes away.

We might want to add a flag to force load from the zone file, as that only happens on first load. That WARN about the key is suspicious... There might be an issue here with some of the options you're passing. Could you try tls with openssl for now and see if that works? (I think this would just mean running with default features). What I don't see is a message that the zone is being resigned, so we need to figure out why that isn't happening.

I don't think I have any tests right now that guarantee the Server works with ring enabled...

(btw, I'm still not quite at a point where I would recommend running the Server as a publicly available authority).

<!-- gh-comment-id:332330923 --> @bluejekyll commented on GitHub (Sep 26, 2017): EDIT: I misread those logs. The output from the reload of the journal file is just mentioning the that the SOA doesn't exist up until that is read from the journal, then it goes away. We might want to add a flag to force load from the zone file, as that only happens on first load. That WARN about the key is suspicious... There might be an issue here with some of the options you're passing. Could you try tls with openssl for now and see if that works? (I think this would just mean running with default features). What I don't see is a message that the zone is being resigned, so we need to figure out why that isn't happening. I don't think I have any tests right now that guarantee the Server works with *ring* enabled... (btw, I'm still not quite at a point where I would recommend running the Server as a publicly available authority).
Author
Owner

@bluejekyll commented on GitHub (Sep 26, 2017):

Also, I see you want to use TLS, This needs to be enabled with this config line:

tls_cert = { path = "sec/example.p12", subject_name = "ns.example.com", password = "testpass", create_if_absent = true }

see this for reference: https://github.com/bluejekyll/trust-dns/blob/master/server/tests/named_test_configs/dns_over_tls.toml

This might be a big ask, but I haven't had a lot of people reach out on issues with this. If you wouldn't mind capturing your setup, we could start some documentation on how to run the Server.

<!-- gh-comment-id:332333004 --> @bluejekyll commented on GitHub (Sep 26, 2017): Also, I see you want to use TLS, This needs to be enabled with this config line: ```toml tls_cert = { path = "sec/example.p12", subject_name = "ns.example.com", password = "testpass", create_if_absent = true } ``` see this for reference: https://github.com/bluejekyll/trust-dns/blob/master/server/tests/named_test_configs/dns_over_tls.toml This might be a big ask, but I haven't had a lot of people reach out on issues with this. If you wouldn't mind capturing your setup, we could start some documentation on how to run the Server.
Author
Owner

@Darkspirit commented on GitHub (Sep 26, 2017):

Can you try stopping and then removing the /home/trustdns/ikenmeyer.com.jrnl file, and then restarting?

first and second run would look the same as above

Could you try tls with openssl for now and see if that works? (I think this would just mean running with default features)

Yes, it's my intention to help with alpha testing:

compiled without mentioning features

darkspirit@darkspirit:~/Downloads$ cargo uninstall trust-dns-server
    Removing /home/darkspirit/.cargo/bin/named
darkspirit@darkspirit:~/Downloads$ cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server
    Updating git repository `https://github.com/bluejekyll/trust-dns`
  Installing trust-dns-server v0.10.8 (https://github.com/bluejekyll/trust-dns#4433e12f)                                                   
    Updating registry `https://github.com/rust-lang/crates.io-index`                                                                       
   Compiling winapi-build v0.1.1                                                                                                           
   Compiling linked-hash-map v0.4.2                                                                                                        
   Compiling foreign-types v0.2.0                                                                                                          
   Compiling futures v0.1.16                                                                                                               
   Compiling winapi v0.2.8                                                                                                                 
   Compiling libc v0.2.31                                                                                                                  
   Compiling data-encoding v1.2.0                                                                                                          
   Compiling bitflags v0.7.0                                                                                                               
   Compiling backtrace v0.2.3                                                                                                              
   Compiling rustc-serialize v0.3.24                                                                                                       
   Compiling scoped-tls v0.1.0                                                                                                             
   Compiling utf8-ranges v0.1.3                                                                                                            
   Compiling rustc-demangle v0.1.5                                                                                                         
   Compiling regex-syntax v0.3.9                                                                                                           
   Compiling untrusted v0.5.1                                                                                                              
   Compiling byteorder v1.1.0                                                                                                              
   Compiling log v0.3.8                                                                                                                    
   Compiling lazy_static v0.2.8                                                                                                            
   Compiling cfg-if v0.1.2                                                                                                                 
   Compiling lazycell v0.5.1                                                                                                               
   Compiling openssl v0.9.19                                                                                                               
   Compiling num-traits v0.1.40                                                                                                            
   Compiling strsim v0.5.2                                                                                                                 
   Compiling gcc v0.3.54
   Compiling cc v1.0.0
   Compiling slab v0.3.0
   Compiling pkg-config v0.3.9
   Compiling bitflags v0.9.1
   Compiling lru-cache v0.1.1
   Compiling kernel32-sys v0.2.2
   Compiling dbghelp-sys v0.2.0
   Compiling memchr v0.1.11
   Compiling time v0.1.38
   Compiling rand v0.3.16
   Compiling iovec v0.1.0
   Compiling net2 v0.2.31
   Compiling num-integer v0.1.35
   Compiling aho-corasick v0.5.3
   Compiling bytes v0.4.5
   Compiling mio v0.6.10
   Compiling num-iter v0.1.34
   Compiling thread-id v2.0.0
   Compiling num v0.1.40
   Compiling thread_local v0.2.7
   Compiling chrono v0.4.0
   Compiling tokio-io v0.1.3
   Compiling libsqlite3-sys v0.6.2
   Compiling openssl-sys v0.9.19
   Compiling backtrace-sys v0.1.14
   Compiling toml v0.1.30
   Compiling tokio-core v0.1.9
   Compiling regex v0.1.80
   Compiling error-chain v0.1.12
   Compiling tokio-openssl v0.1.3
   Compiling trust-dns v0.11.4 (https://github.com/bluejekyll/trust-dns#4433e12f)
   Compiling docopt v0.6.86
   Compiling rusqlite v0.9.5
   Compiling trust-dns-server v0.10.8 (https://github.com/bluejekyll/trust-dns#4433e12f)
    Finished release [optimized] target(s) in 108.99 secs

renamed this build to named-default and uploaded it to my server. (reason)

deleted old journal and key:

root@dev:/home/trustdns# ls
`config.toml  ikenmeyer.com.zone  named  named-default`

first run

root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/
2017-09-26T20:59:07.711058748+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-26T20:59:07.711257477+00:00 INFO named:445 Trust-DNS 0.11.4 starting
2017-09-26T20:59:07.711333576+00:00 INFO named:452 loading configuration from: "/home/trustdns/config.toml"
2017-09-26T20:59:07.711615992+00:00 INFO named:147 loading zone file: "/home/trustdns/ikenmeyer.com.zone"
2017-09-26T20:59:07.853670312+00:00 INFO named:167 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl"
2017-09-26T20:59:08.009226378+00:00 INFO trust_dns_server::authority::authority:154 persisting zone to journal at SOA.serial: 201709264
2017-09-26T20:59:08.342462074+00:00 INFO named:182 loaded zone: ikenmeyer.com.
2017-09-26T20:59:08.342631607+00:00 INFO named:258 creating key: "ikenmeyer.com.zone.csk.pem"
2017-09-26T20:59:08.346390102+00:00 INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-26T20:59:08.346663410+00:00 INFO named:219 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-26T20:59:08.346886406+00:00 INFO named:506 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-26T20:59:08.346974007+00:00 INFO named:512 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 }
2017-09-26T20:59:08.347019550+00:00 INFO named:560 
2017-09-26T20:59:08.347063061+00:00 INFO named:561     o                      o            o             
2017-09-26T20:59:08.347106030+00:00 INFO named:562     |                      |            |             
2017-09-26T20:59:08.347134724+00:00 INFO named:563   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-26T20:59:08.347161330+00:00 INFO named:564     |    |    |  |   \     |         |  |  |  |   \   
2017-09-26T20:59:08.347188079+00:00 INFO named:565     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-26T20:59:08.347214947+00:00 INFO named:566 
2017-09-26T20:59:08.347241272+00:00 INFO named:550 awaiting connections...
2017-09-26T20:59:08.347267842+00:00 INFO trust_dns_server::server::server_future:203 Server starting up
2017-09-26T20:59:49.578034920+00:00 INFO trust_dns_server::authority::catalog:43 request id: 4761 type: Query op_code: Query
2017-09-26T20:59:49.686297569+00:00 INFO trust_dns_server::authority::catalog:43 request id: 23982 type: Query op_code: Query
2017-09-26T20:59:49.825418995+00:00 INFO trust_dns_server::authority::catalog:43 request id: 57144 type: Query op_code: Query
2017-09-26T20:59:49.825769631+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3411 type: Query op_code: Query
2017-09-26T20:59:49.825973547+00:00 INFO trust_dns_server::authority::catalog:43 request id: 54509 type: Query op_code: Query
2017-09-26T20:59:49.826122398+00:00 INFO trust_dns_server::authority::catalog:43 request id: 54490 type: Query op_code: Query
2017-09-26T20:59:49.826239458+00:00 INFO trust_dns_server::authority::catalog:43 request id: 11346 type: Query op_code: Query
2017-09-26T20:59:49.826350982+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38218 type: Query op_code: Query
2017-09-26T20:59:49.826440995+00:00 INFO trust_dns_server::authority::catalog:43 request id: 7035 type: Query op_code: Query
2017-09-26T20:59:49.826564703+00:00 INFO trust_dns_server::authority::catalog:43 request id: 7934 type: Query op_code: Query
2017-09-26T20:59:49.826650240+00:00 INFO trust_dns_server::authority::catalog:43 request id: 54846 type: Query op_code: Query
2017-09-26T20:59:49.826734706+00:00 INFO trust_dns_server::authority::catalog:43 request id: 43330 type: Query op_code: Query
2017-09-26T20:59:49.929771591+00:00 INFO trust_dns_server::authority::catalog:43 request id: 51103 type: Query op_code: Query
^C

second run

root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/
2017-09-26T21:13:29.672301388+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-26T21:13:29.672607946+00:00 INFO named:445 Trust-DNS 0.11.4 starting
2017-09-26T21:13:29.672665837+00:00 INFO named:452 loading configuration from: "/home/trustdns/config.toml"
2017-09-26T21:13:29.672900090+00:00 INFO named:128 recovering zone from journal: "/home/trustdns/ikenmeyer.com.jrnl"
2017-09-26T21:13:29.673628490+00:00 INFO trust_dns_server::authority::authority:121 recovering from journal
2017-09-26T21:13:29.673788755+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com.
2017-09-26T21:13:29.673832159+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) }
2017-09-26T21:13:29.673931682+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com.
2017-09-26T21:13:29.673968601+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: NS, dns_class: IN, ttl: 86400, rdata: NS(Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }) }
2017-09-26T21:13:29.674045025+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com.
2017-09-26T21:13:29.674081069+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: SOA, dns_class: IN, ttl: 604800, rdata: SOA(SOA { mname: Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }, rname: Name { is_fqdn: true, labels: ["hostmaster", "terrax", "net"] }, serial: 201709264, refresh: 28800, retry: 7200, expire: 604800, minimum: 86400 }) }
2017-09-26T21:13:29.674162930+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) }
2017-09-26T21:13:29.674260159+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) }
2017-09-26T21:13:29.674349202+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) }
2017-09-26T21:13:29.674436524+00:00 WARN trust_dns_server::authority::authority:1129 attempt to sign_zone for dnssec, but no keys available!
2017-09-26T21:13:29.674476933+00:00 INFO named:143 recovered zone: ikenmeyer.com.
2017-09-26T21:13:29.674513764+00:00 INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-26T21:13:29.816938531+00:00 INFO named:219 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-26T21:13:29.817275822+00:00 INFO named:506 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-26T21:13:29.817381536+00:00 INFO named:512 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 }
2017-09-26T21:13:29.817451690+00:00 INFO named:560 
2017-09-26T21:13:29.817505726+00:00 INFO named:561     o                      o            o             
2017-09-26T21:13:29.817558341+00:00 INFO named:562     |                      |            |             
2017-09-26T21:13:29.817608626+00:00 INFO named:563   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-26T21:13:29.817658772+00:00 INFO named:564     |    |    |  |   \     |         |  |  |  |   \   
2017-09-26T21:13:29.817709022+00:00 INFO named:565     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-26T21:13:29.817759467+00:00 INFO named:566 
2017-09-26T21:13:29.817805645+00:00 INFO named:550 awaiting connections...
2017-09-26T21:13:29.817855832+00:00 INFO trust_dns_server::server::server_future:203 Server starting up
2017-09-26T21:13:57.248452559+00:00 INFO trust_dns_server::authority::catalog:43 request id: 64179 type: Query op_code: Query
2017-09-26T21:13:57.355699442+00:00 INFO trust_dns_server::authority::catalog:43 request id: 22313 type: Query op_code: Query
2017-09-26T21:13:57.499741632+00:00 INFO trust_dns_server::authority::catalog:43 request id: 20656 type: Query op_code: Query
2017-09-26T21:13:57.500035824+00:00 INFO trust_dns_server::authority::catalog:43 request id: 30911 type: Query op_code: Query
2017-09-26T21:13:57.500155904+00:00 INFO trust_dns_server::authority::catalog:43 request id: 45567 type: Query op_code: Query
2017-09-26T21:13:57.500374160+00:00 INFO trust_dns_server::authority::catalog:43 request id: 54729 type: Query op_code: Query
2017-09-26T21:13:57.500494263+00:00 INFO trust_dns_server::authority::catalog:43 request id: 39682 type: Query op_code: Query
2017-09-26T21:13:57.500599251+00:00 INFO trust_dns_server::authority::catalog:43 request id: 22881 type: Query op_code: Query
2017-09-26T21:13:57.500690900+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17232 type: Query op_code: Query
2017-09-26T21:13:57.500769291+00:00 INFO trust_dns_server::authority::catalog:43 request id: 36678 type: Query op_code: Query
2017-09-26T21:13:57.500841864+00:00 INFO trust_dns_server::authority::catalog:43 request id: 62257 type: Query op_code: Query
2017-09-26T21:13:57.500924375+00:00 INFO trust_dns_server::authority::catalog:43 request id: 45077 type: Query op_code: Query
2017-09-26T21:13:57.604434631+00:00 INFO trust_dns_server::authority::catalog:43 request id: 44921 type: Query op_code: Query

http://dnsviz.net/d/ikenmeyer.com/e/178688972/dnssec/

I don't think I have any tests right now that guarantee the Server works with ring enabled...

ring is relevant and cool, openssl not ;D

(btw, I'm still not quite at a point where I would recommend running the Server as a publicly available authority).

It's an unused domain with an IPv6-only trustdns server inside my LXC rust playground container where I want to run my hyper project in the near future. My registrar currently does not support IPv6-only glue records, so I have to wait for it. I don't want to pay for two addtional legacy IP addresses. This is why I currently have to type " @dev.h.terrax.net" (=trustdns) at the end of my dig commands.

Also, I see you want to use TLS,

I set DNS over TLS as build feature, but did not configure it yet. This can wait until everything else works and should ideally rely on rustls. I would never run a domain without dnssec again. Didn't look into it yet. Definitely want it! Thanks for the quote.

This might be a big ask, but I haven't had a lot of people reach out on issues with this. If you wouldn't mind capturing your setup, we could start some documentation on how to run the Server.

First a basic setup with dnssec, then I would try to find problems and open issues. I'm quite a rust newbie, so I am frightened to make a patch (for CAA, TLSA) possibly containing bugs.
As this is the most relevant rust dns server/client project, I am very interested in helping to make some tutorials. Storing everything in mysql like powerdns with a nice API would be great in the future.
(rust: mysql_async or rust-mysql-simple)

<!-- gh-comment-id:332341790 --> @Darkspirit commented on GitHub (Sep 26, 2017): > Can you try stopping and then removing the /home/trustdns/ikenmeyer.com.jrnl file, and then restarting? first and second run would look the same as above > Could you try tls with openssl for now and see if that works? (I think this would just mean running with default features) Yes, it's my intention to help with alpha testing: compiled without mentioning features ``` darkspirit@darkspirit:~/Downloads$ cargo uninstall trust-dns-server Removing /home/darkspirit/.cargo/bin/named darkspirit@darkspirit:~/Downloads$ cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server Updating git repository `https://github.com/bluejekyll/trust-dns` Installing trust-dns-server v0.10.8 (https://github.com/bluejekyll/trust-dns#4433e12f) Updating registry `https://github.com/rust-lang/crates.io-index` Compiling winapi-build v0.1.1 Compiling linked-hash-map v0.4.2 Compiling foreign-types v0.2.0 Compiling futures v0.1.16 Compiling winapi v0.2.8 Compiling libc v0.2.31 Compiling data-encoding v1.2.0 Compiling bitflags v0.7.0 Compiling backtrace v0.2.3 Compiling rustc-serialize v0.3.24 Compiling scoped-tls v0.1.0 Compiling utf8-ranges v0.1.3 Compiling rustc-demangle v0.1.5 Compiling regex-syntax v0.3.9 Compiling untrusted v0.5.1 Compiling byteorder v1.1.0 Compiling log v0.3.8 Compiling lazy_static v0.2.8 Compiling cfg-if v0.1.2 Compiling lazycell v0.5.1 Compiling openssl v0.9.19 Compiling num-traits v0.1.40 Compiling strsim v0.5.2 Compiling gcc v0.3.54 Compiling cc v1.0.0 Compiling slab v0.3.0 Compiling pkg-config v0.3.9 Compiling bitflags v0.9.1 Compiling lru-cache v0.1.1 Compiling kernel32-sys v0.2.2 Compiling dbghelp-sys v0.2.0 Compiling memchr v0.1.11 Compiling time v0.1.38 Compiling rand v0.3.16 Compiling iovec v0.1.0 Compiling net2 v0.2.31 Compiling num-integer v0.1.35 Compiling aho-corasick v0.5.3 Compiling bytes v0.4.5 Compiling mio v0.6.10 Compiling num-iter v0.1.34 Compiling thread-id v2.0.0 Compiling num v0.1.40 Compiling thread_local v0.2.7 Compiling chrono v0.4.0 Compiling tokio-io v0.1.3 Compiling libsqlite3-sys v0.6.2 Compiling openssl-sys v0.9.19 Compiling backtrace-sys v0.1.14 Compiling toml v0.1.30 Compiling tokio-core v0.1.9 Compiling regex v0.1.80 Compiling error-chain v0.1.12 Compiling tokio-openssl v0.1.3 Compiling trust-dns v0.11.4 (https://github.com/bluejekyll/trust-dns#4433e12f) Compiling docopt v0.6.86 Compiling rusqlite v0.9.5 Compiling trust-dns-server v0.10.8 (https://github.com/bluejekyll/trust-dns#4433e12f) Finished release [optimized] target(s) in 108.99 secs ``` renamed this build to named-default and uploaded it to my server. ([reason](https://twitter.com/TerraX_net/status/912466917532798978)) deleted old journal and key: ``` root@dev:/home/trustdns# ls `config.toml ikenmeyer.com.zone named named-default` ``` first run ``` root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ 2017-09-26T20:59:07.711058748+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-26T20:59:07.711257477+00:00 INFO named:445 Trust-DNS 0.11.4 starting 2017-09-26T20:59:07.711333576+00:00 INFO named:452 loading configuration from: "/home/trustdns/config.toml" 2017-09-26T20:59:07.711615992+00:00 INFO named:147 loading zone file: "/home/trustdns/ikenmeyer.com.zone" 2017-09-26T20:59:07.853670312+00:00 INFO named:167 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl" 2017-09-26T20:59:08.009226378+00:00 INFO trust_dns_server::authority::authority:154 persisting zone to journal at SOA.serial: 201709264 2017-09-26T20:59:08.342462074+00:00 INFO named:182 loaded zone: ikenmeyer.com. 2017-09-26T20:59:08.342631607+00:00 INFO named:258 creating key: "ikenmeyer.com.zone.csk.pem" 2017-09-26T20:59:08.346390102+00:00 INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-26T20:59:08.346663410+00:00 INFO named:219 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-26T20:59:08.346886406+00:00 INFO named:506 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-26T20:59:08.346974007+00:00 INFO named:512 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 } 2017-09-26T20:59:08.347019550+00:00 INFO named:560 2017-09-26T20:59:08.347063061+00:00 INFO named:561 o o o 2017-09-26T20:59:08.347106030+00:00 INFO named:562 | | | 2017-09-26T20:59:08.347134724+00:00 INFO named:563 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-26T20:59:08.347161330+00:00 INFO named:564 | | | | \ | | | | | \ 2017-09-26T20:59:08.347188079+00:00 INFO named:565 o o o--o o-o o o-o o o o-o 2017-09-26T20:59:08.347214947+00:00 INFO named:566 2017-09-26T20:59:08.347241272+00:00 INFO named:550 awaiting connections... 2017-09-26T20:59:08.347267842+00:00 INFO trust_dns_server::server::server_future:203 Server starting up 2017-09-26T20:59:49.578034920+00:00 INFO trust_dns_server::authority::catalog:43 request id: 4761 type: Query op_code: Query 2017-09-26T20:59:49.686297569+00:00 INFO trust_dns_server::authority::catalog:43 request id: 23982 type: Query op_code: Query 2017-09-26T20:59:49.825418995+00:00 INFO trust_dns_server::authority::catalog:43 request id: 57144 type: Query op_code: Query 2017-09-26T20:59:49.825769631+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3411 type: Query op_code: Query 2017-09-26T20:59:49.825973547+00:00 INFO trust_dns_server::authority::catalog:43 request id: 54509 type: Query op_code: Query 2017-09-26T20:59:49.826122398+00:00 INFO trust_dns_server::authority::catalog:43 request id: 54490 type: Query op_code: Query 2017-09-26T20:59:49.826239458+00:00 INFO trust_dns_server::authority::catalog:43 request id: 11346 type: Query op_code: Query 2017-09-26T20:59:49.826350982+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38218 type: Query op_code: Query 2017-09-26T20:59:49.826440995+00:00 INFO trust_dns_server::authority::catalog:43 request id: 7035 type: Query op_code: Query 2017-09-26T20:59:49.826564703+00:00 INFO trust_dns_server::authority::catalog:43 request id: 7934 type: Query op_code: Query 2017-09-26T20:59:49.826650240+00:00 INFO trust_dns_server::authority::catalog:43 request id: 54846 type: Query op_code: Query 2017-09-26T20:59:49.826734706+00:00 INFO trust_dns_server::authority::catalog:43 request id: 43330 type: Query op_code: Query 2017-09-26T20:59:49.929771591+00:00 INFO trust_dns_server::authority::catalog:43 request id: 51103 type: Query op_code: Query ^C ``` second run ``` root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ 2017-09-26T21:13:29.672301388+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-26T21:13:29.672607946+00:00 INFO named:445 Trust-DNS 0.11.4 starting 2017-09-26T21:13:29.672665837+00:00 INFO named:452 loading configuration from: "/home/trustdns/config.toml" 2017-09-26T21:13:29.672900090+00:00 INFO named:128 recovering zone from journal: "/home/trustdns/ikenmeyer.com.jrnl" 2017-09-26T21:13:29.673628490+00:00 INFO trust_dns_server::authority::authority:121 recovering from journal 2017-09-26T21:13:29.673788755+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com. 2017-09-26T21:13:29.673832159+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) } 2017-09-26T21:13:29.673931682+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com. 2017-09-26T21:13:29.673968601+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: NS, dns_class: IN, ttl: 86400, rdata: NS(Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }) } 2017-09-26T21:13:29.674045025+00:00 WARN trust_dns_server::authority::authority:255 no soa record found for zone: ikenmeyer.com. 2017-09-26T21:13:29.674081069+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: SOA, dns_class: IN, ttl: 604800, rdata: SOA(SOA { mname: Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }, rname: Name { is_fqdn: true, labels: ["hostmaster", "terrax", "net"] }, serial: 201709264, refresh: 28800, retry: 7200, expire: 604800, minimum: 86400 }) } 2017-09-26T21:13:29.674162930+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) } 2017-09-26T21:13:29.674260159+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) } 2017-09-26T21:13:29.674349202+00:00 INFO trust_dns_server::authority::authority:736 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) } 2017-09-26T21:13:29.674436524+00:00 WARN trust_dns_server::authority::authority:1129 attempt to sign_zone for dnssec, but no keys available! 2017-09-26T21:13:29.674476933+00:00 INFO named:143 recovered zone: ikenmeyer.com. 2017-09-26T21:13:29.674513764+00:00 INFO named:279 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-26T21:13:29.816938531+00:00 INFO named:219 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-26T21:13:29.817275822+00:00 INFO named:506 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-26T21:13:29.817381536+00:00 INFO named:512 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 } 2017-09-26T21:13:29.817451690+00:00 INFO named:560 2017-09-26T21:13:29.817505726+00:00 INFO named:561 o o o 2017-09-26T21:13:29.817558341+00:00 INFO named:562 | | | 2017-09-26T21:13:29.817608626+00:00 INFO named:563 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-26T21:13:29.817658772+00:00 INFO named:564 | | | | \ | | | | | \ 2017-09-26T21:13:29.817709022+00:00 INFO named:565 o o o--o o-o o o-o o o o-o 2017-09-26T21:13:29.817759467+00:00 INFO named:566 2017-09-26T21:13:29.817805645+00:00 INFO named:550 awaiting connections... 2017-09-26T21:13:29.817855832+00:00 INFO trust_dns_server::server::server_future:203 Server starting up 2017-09-26T21:13:57.248452559+00:00 INFO trust_dns_server::authority::catalog:43 request id: 64179 type: Query op_code: Query 2017-09-26T21:13:57.355699442+00:00 INFO trust_dns_server::authority::catalog:43 request id: 22313 type: Query op_code: Query 2017-09-26T21:13:57.499741632+00:00 INFO trust_dns_server::authority::catalog:43 request id: 20656 type: Query op_code: Query 2017-09-26T21:13:57.500035824+00:00 INFO trust_dns_server::authority::catalog:43 request id: 30911 type: Query op_code: Query 2017-09-26T21:13:57.500155904+00:00 INFO trust_dns_server::authority::catalog:43 request id: 45567 type: Query op_code: Query 2017-09-26T21:13:57.500374160+00:00 INFO trust_dns_server::authority::catalog:43 request id: 54729 type: Query op_code: Query 2017-09-26T21:13:57.500494263+00:00 INFO trust_dns_server::authority::catalog:43 request id: 39682 type: Query op_code: Query 2017-09-26T21:13:57.500599251+00:00 INFO trust_dns_server::authority::catalog:43 request id: 22881 type: Query op_code: Query 2017-09-26T21:13:57.500690900+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17232 type: Query op_code: Query 2017-09-26T21:13:57.500769291+00:00 INFO trust_dns_server::authority::catalog:43 request id: 36678 type: Query op_code: Query 2017-09-26T21:13:57.500841864+00:00 INFO trust_dns_server::authority::catalog:43 request id: 62257 type: Query op_code: Query 2017-09-26T21:13:57.500924375+00:00 INFO trust_dns_server::authority::catalog:43 request id: 45077 type: Query op_code: Query 2017-09-26T21:13:57.604434631+00:00 INFO trust_dns_server::authority::catalog:43 request id: 44921 type: Query op_code: Query ``` http://dnsviz.net/d/ikenmeyer.com/e/178688972/dnssec/ > I don't think I have any tests right now that guarantee the Server works with ring enabled... ring is relevant and cool, openssl not ;D > (btw, I'm still not quite at a point where I would recommend running the Server as a publicly available authority). It's an unused domain with an IPv6-only trustdns server inside my LXC rust playground container where I want to run my hyper project in the near future. My registrar currently does not support IPv6-only glue records, so I have to wait for it. I don't want to pay for two addtional legacy IP addresses. This is why I currently have to type " @dev.h.terrax.net" (=trustdns) at the end of my dig commands. > Also, I see you want to use TLS, I set DNS over TLS as build feature, but did not configure it yet. This can wait until everything else works and should ideally rely on rustls. I would never run a domain without dnssec again. Didn't look into it yet. Definitely want it! Thanks for the quote. > This might be a big ask, but I haven't had a lot of people reach out on issues with this. If you wouldn't mind capturing your setup, we could start some documentation on how to run the Server. First a basic setup with dnssec, then I would try to find problems and open issues. I'm quite a rust newbie, so I am frightened to make a patch (for CAA, TLSA) possibly containing bugs. As this is the most relevant rust dns server/client project, I am very interested in helping to make some tutorials. Storing everything in mysql like powerdns with a nice API would be great in the future. (rust: [mysql_async](https://github.com/blackbeam/mysql_async) or [rust-mysql-simple](https://github.com/blackbeam/rust-mysql-simple))
Author
Owner

@bluejekyll commented on GitHub (Sep 26, 2017):

Yes, it's my intention to help with alpha testing:

Awesome! Thank you!

Ok, I think this is our issue, as you already pointed out:

WARN trust_dns_server::authority::authority:1129 attempt to sign_zone for dnssec, but no keys available!

My guess is that there's an ordering problem in this scenario where the Journal is being loaded, I'm trying to resign, and then the key is being read. Give me a little bit, and I can track down why that's happening.

I don't think I have any tests right now that guarantee the Server works with ring enabled...
ring is relevant and cool, openssl not ;D

It most definitely is! I just haven't been spending as much time on the Server as I have on the client and resolver lately, so you're probably going to find some inconsistencies. This is why I was hoping that OpenSSL would just work.

One thing that won't work with ring right now is key generation. So If that's being used, OpenSSL at least needs to be enabled for that. There are a bunch of code paths that need to be validated for that.

I set DNS over TLS as build feature, but did not configure it yet. This can wait until everything else works and should ideally rely on rustls.

Cool.

<!-- gh-comment-id:332346008 --> @bluejekyll commented on GitHub (Sep 26, 2017): > Yes, it's my intention to help with alpha testing: Awesome! Thank you! Ok, I think this is our issue, as you already pointed out: ```console WARN trust_dns_server::authority::authority:1129 attempt to sign_zone for dnssec, but no keys available! ``` My guess is that there's an ordering problem in this scenario where the Journal is being loaded, I'm trying to resign, and then the key is being read. Give me a little bit, and I can track down why that's happening. >> I don't think I have any tests right now that guarantee the Server works with ring enabled... > ring is relevant and cool, openssl not ;D It most definitely is! I just haven't been spending as much time on the Server as I have on the client and resolver lately, so you're probably going to find some inconsistencies. This is why I was hoping that OpenSSL would just work. One thing that won't work with *ring* right now is key generation. So If that's being used, OpenSSL at least needs to be enabled for that. There are a bunch of code paths that need to be validated for that. > I set DNS over TLS as build feature, but did not configure it yet. This can wait until everything else works and should ideally rely on rustls. Cool.
Author
Owner

@bluejekyll commented on GitHub (Sep 26, 2017):

So the journal is recovered here:

https://github.com/bluejekyll/trust-dns/blob/master/server/src/named.rs#L127

here's the attempted zone signing:

https://github.com/bluejekyll/trust-dns/blob/master/server/src/authority/authority.rs#L139

then the key is associated here:

https://github.com/bluejekyll/trust-dns/blob/master/server/src/named.rs#L223

After 223, we should actually try to resign the zone, that logic could go here:

https://github.com/bluejekyll/trust-dns/blob/master/server/src/authority/authority.rs#L106.

I clearly don't have a good test case for this case. This might be the best place for a call to Authority::secure_zone(), here:

https://github.com/bluejekyll/trust-dns/blob/master/server/src/named.rs#L229

and that would resolve all of this. We should also cleanup the signing at the end of a Journal load. For now, the work around (lame I know) would be to do a dynamic update, which is currently the only thing that appears to trigger the zone signing here:

https://github.com/bluejekyll/trust-dns/blob/master/server/src/authority/authority.rs#L809

And that is definitely tested...

Sorry for this! It's a major gap in the testing that I didn't notice! I'll work on a patch tonight.

<!-- gh-comment-id:332349675 --> @bluejekyll commented on GitHub (Sep 26, 2017): So the journal is recovered here: https://github.com/bluejekyll/trust-dns/blob/master/server/src/named.rs#L127 here's the attempted zone signing: https://github.com/bluejekyll/trust-dns/blob/master/server/src/authority/authority.rs#L139 then the key is associated here: https://github.com/bluejekyll/trust-dns/blob/master/server/src/named.rs#L223 After 223, we should actually try to resign the zone, that logic could go here: https://github.com/bluejekyll/trust-dns/blob/master/server/src/authority/authority.rs#L106. I clearly don't have a good test case for this case. This might be the best place for a call to Authority::secure_zone(), here: https://github.com/bluejekyll/trust-dns/blob/master/server/src/named.rs#L229 and that would resolve all of this. We should also cleanup the signing at the end of a Journal load. For now, the work around (lame I know) would be to do a dynamic update, which is currently the only thing that appears to trigger the zone signing here: https://github.com/bluejekyll/trust-dns/blob/master/server/src/authority/authority.rs#L809 And that is definitely tested... Sorry for this! It's a major gap in the testing that I didn't notice! I'll work on a patch tonight.
Author
Owner

@bluejekyll commented on GitHub (Sep 27, 2017):

@TerraX-net please let me know if this fixes your issue. I've opened another issue for creating an integration test for this particular case.

<!-- gh-comment-id:332406895 --> @bluejekyll commented on GitHub (Sep 27, 2017): @TerraX-net please let me know if this fixes your issue. I've opened another issue for creating an integration test for this particular case.
Author
Owner

@Darkspirit commented on GitHub (Sep 27, 2017):

Overview

It seems that only RSASHA256 is working now (or I do something wrong).
I am primarily interested in ECDSA P384 and EdDSA.

Compiled on my Debian Testing desktop (rust stable) and running inside a Debian Testing LXC container (rust stable).
only CSK (RSA/EC=pem or ED=pk8) tested.
jrnl + pem/pk8 deleted for each table cell.

build RSA SHA256 RSA SHA512 ECDSA P256SHA256 ECDSA P384SHA384 ED25519
without features 1:ok?, 2:ok? 1:no, 2:no 1:no, 2:no 1:no, 2:no 1:error*, 2:error**
features=tls,ring 1:ok? 1:no 1:no 1:no 1:no***

*)
2017-09-27T17:32:46.152411591+00:00 ERROR named:507 could not load zone ikenmeyer.com.: failed to load key: "ikenmeyer.com.zone.csk.pem" msg: could not generate key: unsupported Algorithm, enable openssl or ring feature: ED25519
**)
openssl genpkey -algorithm X25519 | openssl pkcs8 -nocrypt -outform der > ikenmeyer.com.zone.csk.pk8
# maybe this openssl command was just wrong to manually create a X25519 keypair as pk8.
2017-09-27T17:41:17.662520044+00:00 ERROR named:507 could not load zone ikenmeyer.com.: failed to load key: "ikenmeyer.com.zone.csk.pk8" msg: could not decode key: unsupported key format with ED25519 (only Pkcs8 supported): Pkcs8
***)
Although dnsviz does not support ed25519 it can display it partially: ed25519.nl


My first tests:

compiled with:

darkspirit@darkspirit:~$ cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server --features tls,ring --force
    Updating git repository `https://github.com/bluejekyll/trust-dns`
  Installing trust-dns-server v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da)
    Updating registry `https://github.com/rust-lang/crates.io-index`
   Compiling backtrace v0.2.3
   Compiling libc v0.2.31
   Compiling utf8-ranges v0.1.3
   Compiling gcc v0.3.54
   Compiling lazycell v0.5.1
   Compiling winapi-build v0.1.1
   Compiling winapi v0.2.8
   Compiling either v1.1.0
   Compiling rayon-core v1.2.1
   Compiling num-traits v0.1.40
   Compiling data-encoding v1.2.0
   Compiling cc v1.0.0
   Compiling lazy_static v0.2.8
   Compiling pkg-config v0.3.9
   Compiling untrusted v0.5.1
   Compiling futures v0.1.16
   Compiling strsim v0.5.2
   Compiling bitflags v0.9.1
   Compiling byteorder v1.1.0
   Compiling bitflags v0.7.0
   Compiling scopeguard v0.3.2
   Compiling log v0.3.8
   Compiling foreign-types v0.2.0
   Compiling cfg-if v0.1.2
   Compiling rustc-demangle v0.1.5                                                                                                         
   Compiling scoped-tls v0.1.0                                                                                                             
   Compiling rustc-serialize v0.3.24                                                                                                       
   Compiling openssl v0.9.19                                                                                                               
   Compiling slab v0.3.0                                                                                                                   
   Compiling linked-hash-map v0.4.2                                                                                                        
   Compiling regex-syntax v0.3.9                                                                                                           
   Compiling dbghelp-sys v0.2.0                                                                                                            
   Compiling kernel32-sys v0.2.2                                                                                                           
   Compiling memchr v0.1.11                                                                                                                
   Compiling num_cpus v1.6.2                                                                                                               
   Compiling time v0.1.38                                                                                                                  
   Compiling iovec v0.1.0                                                                                                                  
   Compiling rand v0.3.16                                                                                                                  
   Compiling num-integer v0.1.35                                                                                                           
   Compiling coco v0.1.1                                                                                                                   
   Compiling net2 v0.2.31                                                                                                                  
   Compiling lru-cache v0.1.1                                                                                                              
   Compiling aho-corasick v0.5.3                                                                                                           
   Compiling bytes v0.4.5                                                                                                                  
   Compiling num-iter v0.1.34                                                                                                              
   Compiling libsqlite3-sys v0.6.2                                                                                                         
   Compiling openssl-sys v0.9.19                                                                                                           
   Compiling backtrace-sys v0.1.14                                                                                                         
   Compiling num v0.1.40                                                                                                                   
   Compiling mio v0.6.10                                                                                                                   
   Compiling thread-id v2.0.0                                                                                                              
   Compiling chrono v0.4.0                                                                                                                 
   Compiling tokio-io v0.1.3                                                                                                               
   Compiling thread_local v0.2.7                                                                                                           
   Compiling rayon v0.8.2                                                                                                                  
   Compiling tokio-core v0.1.9                                                                                                             
   Compiling toml v0.1.30                                                                                                                  
   Compiling ring v0.12.1                                                                                                                  
   Compiling regex v0.1.80                                                                                                                 
   Compiling error-chain v0.1.12                                                                                                           
   Compiling tokio-openssl v0.1.3                                                                                                          
   Compiling trust-dns v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da)                                                          
   Compiling docopt v0.6.86                                                                                                                
   Compiling rusqlite v0.9.5                                                                                                               
   Compiling trust-dns-server v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da)                                                   
    Finished release [optimized] target(s) in 111.45 secs                                                                                  
  Installing /home/darkspirit/.cargo/bin/named

then uploaded it to my server (reason).

first run

root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/
2017-09-27T16:48:25.928121022+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-27T16:48:25.928333704+00:00 INFO named:482 Trust-DNS 0.12.0 starting
2017-09-27T16:48:25.928380810+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml"                                
2017-09-27T16:48:25.928555690+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone"                                  
2017-09-27T16:48:26.070995968+00:00 INFO named:174 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl"                                   
2017-09-27T16:48:26.152066148+00:00 INFO trust_dns_server::authority::authority:155 persisting zone to journal at SOA.serial: 201709264    
2017-09-27T16:48:26.269129007+00:00 INFO named:187 loaded zone: ikenmeyer.com.                                                             
2017-09-27T16:48:26.269357142+00:00 INFO named:267 creating key: "ikenmeyer.com.zone.csk.pem"                                              
2017-09-27T16:48:26.280650931+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem"                                               
2017-09-27T16:48:26.281044753+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true           
2017-09-27T16:48:26.292231248+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }          
2017-09-27T16:48:26.292442431+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 }        
2017-09-27T16:48:26.292572466+00:00 INFO named:606                                                                                         
2017-09-27T16:48:26.292672356+00:00 INFO named:607     o                      o            o                                               
2017-09-27T16:48:26.292816776+00:00 INFO named:608     |                      |            |                                               
2017-09-27T16:48:26.292915393+00:00 INFO named:609   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o                                    
2017-09-27T16:48:26.292988848+00:00 INFO named:610     |    |    |  |   \     |         |  |  |  |   \                                     
2017-09-27T16:48:26.293027151+00:00 INFO named:611     o    o    o--o  o-o    o          o-o  o  o  o-o                                    
2017-09-27T16:48:26.293053619+00:00 INFO named:612                                                                                         
2017-09-27T16:48:26.293079104+00:00 INFO named:596 awaiting connections...                                                                 
2017-09-27T16:48:26.293104449+00:00 INFO trust_dns_server::server::server_future:203 Server starting up                                    
2017-09-27T16:49:04.964635667+00:00 INFO trust_dns_server::authority::catalog:43 request id: 64494 type: Query op_code: Query              
2017-09-27T16:49:05.076221647+00:00 INFO trust_dns_server::authority::catalog:43 request id: 45503 type: Query op_code: Query              
2017-09-27T16:49:05.211141027+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38078 type: Query op_code: Query              
2017-09-27T16:49:05.211420670+00:00 INFO trust_dns_server::authority::catalog:43 request id: 10242 type: Query op_code: Query              
2017-09-27T16:49:05.211553647+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3227 type: Query op_code: Query               
2017-09-27T16:49:05.211689100+00:00 INFO trust_dns_server::authority::catalog:43 request id: 29821 type: Query op_code: Query              
2017-09-27T16:49:05.211829012+00:00 INFO trust_dns_server::authority::catalog:43 request id: 23431 type: Query op_code: Query              
2017-09-27T16:49:05.211967073+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3526 type: Query op_code: Query               
2017-09-27T16:49:05.212071055+00:00 INFO trust_dns_server::authority::catalog:43 request id: 785 type: Query op_code: Query                
2017-09-27T16:49:05.212186271+00:00 INFO trust_dns_server::authority::catalog:43 request id: 22808 type: Query op_code: Query              
2017-09-27T16:49:05.212288174+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3050 type: Query op_code: Query               
2017-09-27T16:49:05.212359021+00:00 INFO trust_dns_server::authority::catalog:43 request id: 41640 type: Query op_code: Query              
2017-09-27T16:49:05.315577693+00:00 INFO trust_dns_server::authority::catalog:43 request id: 61156 type: Query op_code: Query              
^C

second run:

root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/                                
2017-09-27T16:49:48.905852899+00:00 INFO trust_dns::logger:26 logging initialized                                                          
2017-09-27T16:49:48.905918562+00:00 INFO named:482 Trust-DNS 0.12.0 starting                                                               
2017-09-27T16:49:48.905923988+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml"                                
2017-09-27T16:49:48.906112354+00:00 INFO named:135 recovering zone from journal: "/home/trustdns/ikenmeyer.com.jrnl"                       
2017-09-27T16:49:48.906820135+00:00 INFO trust_dns_server::authority::authority:121 recovering from journal                                
2017-09-27T16:49:48.906903438+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com.           
2017-09-27T16:49:48.906917034+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) }                                        
2017-09-27T16:49:48.906967534+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com.
2017-09-27T16:49:48.906975767+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: NS, dns_class: IN, ttl: 86400, rdata: NS(Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }) }
2017-09-27T16:49:48.907019255+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com.
2017-09-27T16:49:48.907026976+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: SOA, dns_class: IN, ttl: 604800, rdata: SOA(SOA { mname: Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }, rname: Name { is_fqdn: true, labels: ["hostmaster", "terrax", "net"] }, serial: 201709264, refresh: 28800, retry: 7200, expire: 604800, minimum: 86400 }) }
2017-09-27T16:49:48.907079563+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) }
2017-09-27T16:49:48.907122550+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) }
2017-09-27T16:49:48.907166124+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) }
2017-09-27T16:49:48.907214470+00:00 WARN trust_dns_server::authority::authority:1130 attempt to sign_zone for dnssec, but no keys available!
2017-09-27T16:49:48.907233121+00:00 INFO named:152 recovered zone: ikenmeyer.com.
2017-09-27T16:49:48.907249281+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-27T16:49:49.050777818+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-27T16:49:49.060890812+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-27T16:49:49.060941704+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 }
2017-09-27T16:49:49.060954438+00:00 INFO named:606 
2017-09-27T16:49:49.060960983+00:00 INFO named:607     o                      o            o             
2017-09-27T16:49:49.060964248+00:00 INFO named:608     |                      |            |             
2017-09-27T16:49:49.060968785+00:00 INFO named:609   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-27T16:49:49.060973740+00:00 INFO named:610     |    |    |  |   \     |         |  |  |  |   \   
2017-09-27T16:49:49.060978848+00:00 INFO named:611     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-27T16:49:49.060983900+00:00 INFO named:612 
2017-09-27T16:49:49.060988331+00:00 INFO named:596 awaiting connections...
2017-09-27T16:49:49.060992919+00:00 INFO trust_dns_server::server::server_future:203 Server starting up
2017-09-27T16:50:02.052841469+00:00 INFO trust_dns_server::authority::catalog:43 request id: 43220 type: Query op_code: Query
2017-09-27T16:50:02.160351654+00:00 INFO trust_dns_server::authority::catalog:43 request id: 26480 type: Query op_code: Query
2017-09-27T16:50:02.295859278+00:00 INFO trust_dns_server::authority::catalog:43 request id: 8729 type: Query op_code: Query
2017-09-27T16:50:02.295978724+00:00 INFO trust_dns_server::authority::catalog:43 request id: 37382 type: Query op_code: Query
2017-09-27T16:50:02.296037486+00:00 INFO trust_dns_server::authority::catalog:43 request id: 7186 type: Query op_code: Query
2017-09-27T16:50:02.296093046+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17650 type: Query op_code: Query
2017-09-27T16:50:02.296159997+00:00 INFO trust_dns_server::authority::catalog:43 request id: 56029 type: Query op_code: Query
2017-09-27T16:50:02.296237177+00:00 INFO trust_dns_server::authority::catalog:43 request id: 12650 type: Query op_code: Query
2017-09-27T16:50:02.296282191+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38987 type: Query op_code: Query
2017-09-27T16:50:02.296328112+00:00 INFO trust_dns_server::authority::catalog:43 request id: 23934 type: Query op_code: Query
2017-09-27T16:50:02.296378103+00:00 INFO trust_dns_server::authority::catalog:43 request id: 50514 type: Query op_code: Query
2017-09-27T16:50:02.296414992+00:00 INFO trust_dns_server::authority::catalog:43 request id: 35756 type: Query op_code: Query
2017-09-27T16:50:02.399859969+00:00 INFO trust_dns_server::authority::catalog:43 request id: 492 type: Query op_code: Query

second build (without "features"):

darkspirit@darkspirit:~$ cargo uninstall trust-dns-server
darkspirit@darkspirit:~$ rm -rf ~/.cargo/git
darkspirit@darkspirit:~$ cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server
    Updating git repository `https://github.com/bluejekyll/trust-dns`
  Installing trust-dns-server v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da)
    Updating registry `https://github.com/rust-lang/crates.io-index`
   Compiling openssl v0.9.19
   Compiling slab v0.3.0
   Compiling gcc v0.3.54
   Compiling regex-syntax v0.3.9
   Compiling pkg-config v0.3.9
   Compiling lazy_static v0.2.8
   Compiling cc v1.0.0
   Compiling bitflags v0.9.1
   Compiling linked-hash-map v0.4.2
   Compiling untrusted v0.5.1
   Compiling libc v0.2.31
   Compiling rustc-serialize v0.3.24
   Compiling backtrace v0.2.3
   Compiling cfg-if v0.1.2
   Compiling winapi v0.2.8
   Compiling strsim v0.5.2
   Compiling scoped-tls v0.1.0
   Compiling foreign-types v0.2.0
   Compiling utf8-ranges v0.1.3
   Compiling winapi-build v0.1.1
   Compiling log v0.3.8
   Compiling rustc-demangle v0.1.5
   Compiling lazycell v0.5.1
   Compiling bitflags v0.7.0
   Compiling data-encoding v1.2.0
   Compiling num-traits v0.1.40
   Compiling byteorder v1.1.0
   Compiling futures v0.1.16
   Compiling lru-cache v0.1.1
   Compiling net2 v0.2.31
   Compiling rand v0.3.16
   Compiling memchr v0.1.11
   Compiling time v0.1.38
   Compiling iovec v0.1.0
   Compiling dbghelp-sys v0.2.0
   Compiling kernel32-sys v0.2.2
   Compiling num-integer v0.1.35
   Compiling aho-corasick v0.5.3
   Compiling bytes v0.4.5
   Compiling mio v0.6.10
   Compiling backtrace-sys v0.1.14
   Compiling openssl-sys v0.9.19
   Compiling num-iter v0.1.34
   Compiling libsqlite3-sys v0.6.2
   Compiling num v0.1.40
   Compiling tokio-io v0.1.3
   Compiling thread-id v2.0.0
   Compiling chrono v0.4.0
   Compiling thread_local v0.2.7
   Compiling toml v0.1.30
   Compiling tokio-core v0.1.9
   Compiling regex v0.1.80
   Compiling error-chain v0.1.12
   Compiling tokio-openssl v0.1.3
   Compiling trust-dns v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da)
   Compiling docopt v0.6.86
   Compiling rusqlite v0.9.5
   Compiling trust-dns-server v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da)
    Finished release [optimized] target(s) in 107.85 secs
  Installing /home/darkspirit/.cargo/bin/named

renamed it to named-default and uploaded it. removed .pem and .jrnl

first run:

root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/
2017-09-27T16:56:24.623014330+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-27T16:56:24.623217921+00:00 INFO named:482 Trust-DNS 0.12.0 starting
2017-09-27T16:56:24.623303801+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml"
2017-09-27T16:56:24.623519088+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone"
2017-09-27T16:56:24.765674755+00:00 INFO named:174 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl"
2017-09-27T16:56:24.873041341+00:00 INFO trust_dns_server::authority::authority:155 persisting zone to journal at SOA.serial: 201709264
2017-09-27T16:56:25.015738448+00:00 INFO named:187 loaded zone: ikenmeyer.com.
2017-09-27T16:56:25.016019238+00:00 INFO named:267 creating key: "ikenmeyer.com.zone.csk.pem"
2017-09-27T16:56:25.022432348+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-27T16:56:25.023053402+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-27T16:56:25.037339733+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-27T16:56:25.037612321+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 }
2017-09-27T16:56:25.037698963+00:00 INFO named:606 
2017-09-27T16:56:25.037794691+00:00 INFO named:607     o                      o            o             
2017-09-27T16:56:25.037887782+00:00 INFO named:608     |                      |            |             
2017-09-27T16:56:25.037969254+00:00 INFO named:609   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-27T16:56:25.038006180+00:00 INFO named:610     |    |    |  |   \     |         |  |  |  |   \   
2017-09-27T16:56:25.038038892+00:00 INFO named:611     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-27T16:56:25.038071452+00:00 INFO named:612 
2017-09-27T16:56:25.038103545+00:00 INFO named:596 awaiting connections...
2017-09-27T16:56:25.038135827+00:00 INFO trust_dns_server::server::server_future:203 Server starting up
2017-09-27T16:56:39.269185776+00:00 INFO trust_dns_server::authority::catalog:43 request id: 49048 type: Query op_code: Query
2017-09-27T16:56:39.378275702+00:00 INFO trust_dns_server::authority::catalog:43 request id: 13244 type: Query op_code: Query
2017-09-27T16:56:39.517760024+00:00 INFO trust_dns_server::authority::catalog:43 request id: 48218 type: Query op_code: Query
2017-09-27T16:56:39.517999991+00:00 INFO trust_dns_server::authority::catalog:43 request id: 53684 type: Query op_code: Query
2017-09-27T16:56:39.518134110+00:00 INFO trust_dns_server::authority::catalog:43 request id: 13335 type: Query op_code: Query
2017-09-27T16:56:39.518243683+00:00 INFO trust_dns_server::authority::catalog:43 request id: 45192 type: Query op_code: Query
2017-09-27T16:56:39.518418991+00:00 INFO trust_dns_server::authority::catalog:43 request id: 7574 type: Query op_code: Query
2017-09-27T16:56:39.518522946+00:00 INFO trust_dns_server::authority::catalog:43 request id: 20714 type: Query op_code: Query
2017-09-27T16:56:39.518602053+00:00 INFO trust_dns_server::authority::catalog:43 request id: 46200 type: Query op_code: Query
2017-09-27T16:56:39.518696023+00:00 INFO trust_dns_server::authority::catalog:43 request id: 48644 type: Query op_code: Query
2017-09-27T16:56:39.518773535+00:00 INFO trust_dns_server::authority::catalog:43 request id: 59742 type: Query op_code: Query
2017-09-27T16:56:39.518860106+00:00 INFO trust_dns_server::authority::catalog:43 request id: 40438 type: Query op_code: Query
2017-09-27T16:56:39.620979647+00:00 INFO trust_dns_server::authority::catalog:43 request id: 42591 type: Query op_code: Query

second run:

root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/
2017-09-27T16:57:12.701629711+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-27T16:57:12.701841378+00:00 INFO named:482 Trust-DNS 0.12.0 starting
2017-09-27T16:57:12.701923781+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml"
2017-09-27T16:57:12.702137232+00:00 INFO named:135 recovering zone from journal: "/home/trustdns/ikenmeyer.com.jrnl"
2017-09-27T16:57:12.702666515+00:00 INFO trust_dns_server::authority::authority:121 recovering from journal
2017-09-27T16:57:12.702854125+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com.
2017-09-27T16:57:12.702900009+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) }
2017-09-27T16:57:12.702995286+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com.
2017-09-27T16:57:12.703035718+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: NS, dns_class: IN, ttl: 86400, rdata: NS(Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }) }
2017-09-27T16:57:12.703119519+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com.
2017-09-27T16:57:12.703159997+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: SOA, dns_class: IN, ttl: 604800, rdata: SOA(SOA { mname: Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }, rname: Name { is_fqdn: true, labels: ["hostmaster", "terrax", "net"] }, serial: 201709264, refresh: 28800, retry: 7200, expire: 604800, minimum: 86400 }) }
2017-09-27T16:57:12.703251744+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) }
2017-09-27T16:57:12.703377+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) }
2017-09-27T16:57:12.703481928+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) }
2017-09-27T16:57:12.703573317+00:00 WARN trust_dns_server::authority::authority:1130 attempt to sign_zone for dnssec, but no keys available!
2017-09-27T16:57:12.703613667+00:00 INFO named:152 recovered zone: ikenmeyer.com.
2017-09-27T16:57:12.703653511+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-27T16:57:12.842448864+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-27T16:57:12.852445477+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-27T16:57:12.852547073+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 }
2017-09-27T16:57:12.852604179+00:00 INFO named:606 
2017-09-27T16:57:12.852673901+00:00 INFO named:607     o                      o            o             
2017-09-27T16:57:12.852741668+00:00 INFO named:608     |                      |            |             
2017-09-27T16:57:12.852792988+00:00 INFO named:609   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-27T16:57:12.852846377+00:00 INFO named:610     |    |    |  |   \     |         |  |  |  |   \   
2017-09-27T16:57:12.852925792+00:00 INFO named:611     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-27T16:57:12.852977781+00:00 INFO named:612 
2017-09-27T16:57:12.853050469+00:00 INFO named:596 awaiting connections...
2017-09-27T16:57:12.853100174+00:00 INFO trust_dns_server::server::server_future:203 Server starting up
2017-09-27T16:57:35.787473728+00:00 INFO trust_dns_server::authority::catalog:43 request id: 41735 type: Query op_code: Query
2017-09-27T16:57:35.897053537+00:00 INFO trust_dns_server::authority::catalog:43 request id: 24322 type: Query op_code: Query
2017-09-27T16:57:36.037571910+00:00 INFO trust_dns_server::authority::catalog:43 request id: 24334 type: Query op_code: Query
2017-09-27T16:57:36.037816534+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38165 type: Query op_code: Query
2017-09-27T16:57:36.037983563+00:00 INFO trust_dns_server::authority::catalog:43 request id: 10319 type: Query op_code: Query
2017-09-27T16:57:36.038102475+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17919 type: Query op_code: Query
2017-09-27T16:57:36.038216944+00:00 INFO trust_dns_server::authority::catalog:43 request id: 55701 type: Query op_code: Query
2017-09-27T16:57:36.038350907+00:00 INFO trust_dns_server::authority::catalog:43 request id: 29443 type: Query op_code: Query
2017-09-27T16:57:36.038428357+00:00 INFO trust_dns_server::authority::catalog:43 request id: 25854 type: Query op_code: Query
2017-09-27T16:57:36.038503900+00:00 INFO trust_dns_server::authority::catalog:43 request id: 61378 type: Query op_code: Query
2017-09-27T16:57:36.038582391+00:00 INFO trust_dns_server::authority::catalog:43 request id: 29840 type: Query op_code: Query
2017-09-27T16:57:36.038671598+00:00 INFO trust_dns_server::authority::catalog:43 request id: 42049 type: Query op_code: Query
2017-09-27T16:57:36.141408384+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38640 type: Query op_code: Query

rm *.pem && rm *.jrnl
changed algorithm from ECDSAP384SHA384 to RSASHA256

first run:

root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/
2017-09-27T16:59:56.146350629+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-27T16:59:56.146408499+00:00 INFO named:482 Trust-DNS 0.12.0 starting
2017-09-27T16:59:56.146413924+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml"
2017-09-27T16:59:56.146643756+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone"
2017-09-27T16:59:56.287893327+00:00 INFO named:174 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl"
2017-09-27T16:59:56.375585868+00:00 INFO trust_dns_server::authority::authority:155 persisting zone to journal at SOA.serial: 201709264
2017-09-27T16:59:56.500420812+00:00 INFO named:187 loaded zone: ikenmeyer.com.
2017-09-27T16:59:56.500467621+00:00 INFO named:267 creating key: "ikenmeyer.com.zone.csk.pem"
2017-09-27T16:59:56.751543536+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-27T16:59:56.751683744+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-27T16:59:56.764089342+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-27T16:59:56.764129605+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 }
2017-09-27T16:59:56.764152834+00:00 INFO named:606 
2017-09-27T16:59:56.764175385+00:00 INFO named:607     o                      o            o             
2017-09-27T16:59:56.764180904+00:00 INFO named:608     |                      |            |             
2017-09-27T16:59:56.764186257+00:00 INFO named:609   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-27T16:59:56.764206153+00:00 INFO named:610     |    |    |  |   \     |         |  |  |  |   \   
2017-09-27T16:59:56.764210910+00:00 INFO named:611     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-27T16:59:56.764213979+00:00 INFO named:612 
2017-09-27T16:59:56.764216697+00:00 INFO named:596 awaiting connections...
2017-09-27T16:59:56.764220573+00:00 INFO trust_dns_server::server::server_future:203 Server starting up
2017-09-27T17:00:10.520685652+00:00 INFO trust_dns_server::authority::catalog:43 request id: 36300 type: Query op_code: Query
2017-09-27T17:00:10.629146483+00:00 INFO trust_dns_server::authority::catalog:43 request id: 4914 type: Query op_code: Query
2017-09-27T17:00:10.766085656+00:00 INFO trust_dns_server::authority::catalog:43 request id: 24287 type: Query op_code: Query
2017-09-27T17:00:10.766340757+00:00 INFO trust_dns_server::authority::catalog:43 request id: 62022 type: Query op_code: Query
2017-09-27T17:00:10.766449740+00:00 INFO trust_dns_server::authority::catalog:43 request id: 8628 type: Query op_code: Query
2017-09-27T17:00:10.766563422+00:00 INFO trust_dns_server::authority::catalog:43 request id: 64678 type: Query op_code: Query
2017-09-27T17:00:10.766725961+00:00 INFO trust_dns_server::authority::catalog:43 request id: 23927 type: Query op_code: Query
2017-09-27T17:00:10.766896690+00:00 INFO trust_dns_server::authority::catalog:43 request id: 47236 type: Query op_code: Query
2017-09-27T17:00:10.766998029+00:00 INFO trust_dns_server::authority::catalog:43 request id: 56977 type: Query op_code: Query
2017-09-27T17:00:10.767117945+00:00 INFO trust_dns_server::authority::catalog:43 request id: 25194 type: Query op_code: Query
2017-09-27T17:00:10.767214270+00:00 INFO trust_dns_server::authority::catalog:43 request id: 26287 type: Query op_code: Query
2017-09-27T17:00:10.767301616+00:00 INFO trust_dns_server::authority::catalog:43 request id: 55752 type: Query op_code: Query
2017-09-27T17:00:10.869222810+00:00 INFO trust_dns_server::authority::catalog:43 request id: 32963 type: Query op_code: Query

removed pem, jrnl
changed RSASHA256 to RSASHA512
used the first build (features=tls,ring)

<!-- gh-comment-id:332607425 --> @Darkspirit commented on GitHub (Sep 27, 2017): Overview ----------- It seems that only RSASHA256 is working now (or I do something wrong). I am primarily interested in ECDSA P384 and EdDSA. Compiled on my Debian Testing desktop (rust stable) and running inside a Debian Testing LXC container (rust stable). only CSK (RSA/EC=pem or ED=pk8) tested. jrnl + pem/pk8 deleted for each table cell. | build | RSA SHA256 | RSA SHA512 | ECDSA P256SHA256 | ECDSA P384SHA384 | ED25519 | | --- | --- | --- | --- | --- | --- | | without features | [1:ok?](http://dnsviz.net/d/ikenmeyer.com/e/178694869/dnssec/), [2:ok?](http://dnsviz.net/d/ikenmeyer.com/e/178694878/dnssec/) | [1:no](http://dnsviz.net/d/ikenmeyer.com/e/178694890/dnssec/), [2:no](http://dnsviz.net/d/ikenmeyer.com/e/178694895/dnssec/) | [1:no](http://dnsviz.net/d/ikenmeyer.com/e/178694902/dnssec/), [2:no](http://dnsviz.net/d/ikenmeyer.com/e/178694913/dnssec/) | [1:no](http://dnsviz.net/d/ikenmeyer.com/e/178694920/dnssec/), [2:no](http://dnsviz.net/d/ikenmeyer.com/e/178694925/dnssec/) | 1:error*, 2:error** | | features=tls,ring | [1:ok?](http://dnsviz.net/d/ikenmeyer.com/e/178695005/dnssec/) | [1:no](http://dnsviz.net/d/ikenmeyer.com/e/178695011/dnssec/) | [1:no](http://dnsviz.net/d/ikenmeyer.com/e/178695018/dnssec/) | [1:no](http://dnsviz.net/d/ikenmeyer.com/e/178695024/dnssec/) | [1:no***](http://dnsviz.net/d/ikenmeyer.com/e/178695031/dnssec/) | *) 2017-09-27T17:32:46.152411591+00:00 ERROR named:507 could not load zone ikenmeyer.com.: failed to load key: "ikenmeyer.com.zone.csk.pem" msg: could not generate key: unsupported Algorithm, enable openssl or ring feature: ED25519 **) openssl genpkey -algorithm X25519 | openssl pkcs8 -nocrypt -outform der > ikenmeyer.com.zone.csk.pk8 \# maybe this openssl command was just wrong to manually create a X25519 keypair as pk8. 2017-09-27T17:41:17.662520044+00:00 ERROR named:507 could not load zone ikenmeyer.com.: failed to load key: "ikenmeyer.com.zone.csk.pk8" msg: could not decode key: unsupported key format with ED25519 (only Pkcs8 supported): Pkcs8 ***) Although dnsviz does not support ed25519 it can display it partially: [ed25519.nl](http://dnsviz.net/d/ed25519.nl/WcjLeg/dnssec/) ----- My first tests: compiled with: ``` darkspirit@darkspirit:~$ cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server --features tls,ring --force Updating git repository `https://github.com/bluejekyll/trust-dns` Installing trust-dns-server v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da) Updating registry `https://github.com/rust-lang/crates.io-index` Compiling backtrace v0.2.3 Compiling libc v0.2.31 Compiling utf8-ranges v0.1.3 Compiling gcc v0.3.54 Compiling lazycell v0.5.1 Compiling winapi-build v0.1.1 Compiling winapi v0.2.8 Compiling either v1.1.0 Compiling rayon-core v1.2.1 Compiling num-traits v0.1.40 Compiling data-encoding v1.2.0 Compiling cc v1.0.0 Compiling lazy_static v0.2.8 Compiling pkg-config v0.3.9 Compiling untrusted v0.5.1 Compiling futures v0.1.16 Compiling strsim v0.5.2 Compiling bitflags v0.9.1 Compiling byteorder v1.1.0 Compiling bitflags v0.7.0 Compiling scopeguard v0.3.2 Compiling log v0.3.8 Compiling foreign-types v0.2.0 Compiling cfg-if v0.1.2 Compiling rustc-demangle v0.1.5 Compiling scoped-tls v0.1.0 Compiling rustc-serialize v0.3.24 Compiling openssl v0.9.19 Compiling slab v0.3.0 Compiling linked-hash-map v0.4.2 Compiling regex-syntax v0.3.9 Compiling dbghelp-sys v0.2.0 Compiling kernel32-sys v0.2.2 Compiling memchr v0.1.11 Compiling num_cpus v1.6.2 Compiling time v0.1.38 Compiling iovec v0.1.0 Compiling rand v0.3.16 Compiling num-integer v0.1.35 Compiling coco v0.1.1 Compiling net2 v0.2.31 Compiling lru-cache v0.1.1 Compiling aho-corasick v0.5.3 Compiling bytes v0.4.5 Compiling num-iter v0.1.34 Compiling libsqlite3-sys v0.6.2 Compiling openssl-sys v0.9.19 Compiling backtrace-sys v0.1.14 Compiling num v0.1.40 Compiling mio v0.6.10 Compiling thread-id v2.0.0 Compiling chrono v0.4.0 Compiling tokio-io v0.1.3 Compiling thread_local v0.2.7 Compiling rayon v0.8.2 Compiling tokio-core v0.1.9 Compiling toml v0.1.30 Compiling ring v0.12.1 Compiling regex v0.1.80 Compiling error-chain v0.1.12 Compiling tokio-openssl v0.1.3 Compiling trust-dns v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da) Compiling docopt v0.6.86 Compiling rusqlite v0.9.5 Compiling trust-dns-server v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da) Finished release [optimized] target(s) in 111.45 secs Installing /home/darkspirit/.cargo/bin/named ``` then uploaded it to my server ([reason](https://twitter.com/TerraX_net/status/912466917532798978)). first run ``` root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ 2017-09-27T16:48:25.928121022+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-27T16:48:25.928333704+00:00 INFO named:482 Trust-DNS 0.12.0 starting 2017-09-27T16:48:25.928380810+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml" 2017-09-27T16:48:25.928555690+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone" 2017-09-27T16:48:26.070995968+00:00 INFO named:174 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl" 2017-09-27T16:48:26.152066148+00:00 INFO trust_dns_server::authority::authority:155 persisting zone to journal at SOA.serial: 201709264 2017-09-27T16:48:26.269129007+00:00 INFO named:187 loaded zone: ikenmeyer.com. 2017-09-27T16:48:26.269357142+00:00 INFO named:267 creating key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T16:48:26.280650931+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T16:48:26.281044753+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-27T16:48:26.292231248+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-27T16:48:26.292442431+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 } 2017-09-27T16:48:26.292572466+00:00 INFO named:606 2017-09-27T16:48:26.292672356+00:00 INFO named:607 o o o 2017-09-27T16:48:26.292816776+00:00 INFO named:608 | | | 2017-09-27T16:48:26.292915393+00:00 INFO named:609 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-27T16:48:26.292988848+00:00 INFO named:610 | | | | \ | | | | | \ 2017-09-27T16:48:26.293027151+00:00 INFO named:611 o o o--o o-o o o-o o o o-o 2017-09-27T16:48:26.293053619+00:00 INFO named:612 2017-09-27T16:48:26.293079104+00:00 INFO named:596 awaiting connections... 2017-09-27T16:48:26.293104449+00:00 INFO trust_dns_server::server::server_future:203 Server starting up 2017-09-27T16:49:04.964635667+00:00 INFO trust_dns_server::authority::catalog:43 request id: 64494 type: Query op_code: Query 2017-09-27T16:49:05.076221647+00:00 INFO trust_dns_server::authority::catalog:43 request id: 45503 type: Query op_code: Query 2017-09-27T16:49:05.211141027+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38078 type: Query op_code: Query 2017-09-27T16:49:05.211420670+00:00 INFO trust_dns_server::authority::catalog:43 request id: 10242 type: Query op_code: Query 2017-09-27T16:49:05.211553647+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3227 type: Query op_code: Query 2017-09-27T16:49:05.211689100+00:00 INFO trust_dns_server::authority::catalog:43 request id: 29821 type: Query op_code: Query 2017-09-27T16:49:05.211829012+00:00 INFO trust_dns_server::authority::catalog:43 request id: 23431 type: Query op_code: Query 2017-09-27T16:49:05.211967073+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3526 type: Query op_code: Query 2017-09-27T16:49:05.212071055+00:00 INFO trust_dns_server::authority::catalog:43 request id: 785 type: Query op_code: Query 2017-09-27T16:49:05.212186271+00:00 INFO trust_dns_server::authority::catalog:43 request id: 22808 type: Query op_code: Query 2017-09-27T16:49:05.212288174+00:00 INFO trust_dns_server::authority::catalog:43 request id: 3050 type: Query op_code: Query 2017-09-27T16:49:05.212359021+00:00 INFO trust_dns_server::authority::catalog:43 request id: 41640 type: Query op_code: Query 2017-09-27T16:49:05.315577693+00:00 INFO trust_dns_server::authority::catalog:43 request id: 61156 type: Query op_code: Query ^C ``` * the zone is not signed: http://dnsviz.net/d/ikenmeyer.com/e/178694702/dnssec/ second run: ``` root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ 2017-09-27T16:49:48.905852899+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-27T16:49:48.905918562+00:00 INFO named:482 Trust-DNS 0.12.0 starting 2017-09-27T16:49:48.905923988+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml" 2017-09-27T16:49:48.906112354+00:00 INFO named:135 recovering zone from journal: "/home/trustdns/ikenmeyer.com.jrnl" 2017-09-27T16:49:48.906820135+00:00 INFO trust_dns_server::authority::authority:121 recovering from journal 2017-09-27T16:49:48.906903438+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com. 2017-09-27T16:49:48.906917034+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) } 2017-09-27T16:49:48.906967534+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com. 2017-09-27T16:49:48.906975767+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: NS, dns_class: IN, ttl: 86400, rdata: NS(Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }) } 2017-09-27T16:49:48.907019255+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com. 2017-09-27T16:49:48.907026976+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: SOA, dns_class: IN, ttl: 604800, rdata: SOA(SOA { mname: Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }, rname: Name { is_fqdn: true, labels: ["hostmaster", "terrax", "net"] }, serial: 201709264, refresh: 28800, retry: 7200, expire: 604800, minimum: 86400 }) } 2017-09-27T16:49:48.907079563+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) } 2017-09-27T16:49:48.907122550+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) } 2017-09-27T16:49:48.907166124+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) } 2017-09-27T16:49:48.907214470+00:00 WARN trust_dns_server::authority::authority:1130 attempt to sign_zone for dnssec, but no keys available! 2017-09-27T16:49:48.907233121+00:00 INFO named:152 recovered zone: ikenmeyer.com. 2017-09-27T16:49:48.907249281+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T16:49:49.050777818+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-27T16:49:49.060890812+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-27T16:49:49.060941704+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 } 2017-09-27T16:49:49.060954438+00:00 INFO named:606 2017-09-27T16:49:49.060960983+00:00 INFO named:607 o o o 2017-09-27T16:49:49.060964248+00:00 INFO named:608 | | | 2017-09-27T16:49:49.060968785+00:00 INFO named:609 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-27T16:49:49.060973740+00:00 INFO named:610 | | | | \ | | | | | \ 2017-09-27T16:49:49.060978848+00:00 INFO named:611 o o o--o o-o o o-o o o o-o 2017-09-27T16:49:49.060983900+00:00 INFO named:612 2017-09-27T16:49:49.060988331+00:00 INFO named:596 awaiting connections... 2017-09-27T16:49:49.060992919+00:00 INFO trust_dns_server::server::server_future:203 Server starting up 2017-09-27T16:50:02.052841469+00:00 INFO trust_dns_server::authority::catalog:43 request id: 43220 type: Query op_code: Query 2017-09-27T16:50:02.160351654+00:00 INFO trust_dns_server::authority::catalog:43 request id: 26480 type: Query op_code: Query 2017-09-27T16:50:02.295859278+00:00 INFO trust_dns_server::authority::catalog:43 request id: 8729 type: Query op_code: Query 2017-09-27T16:50:02.295978724+00:00 INFO trust_dns_server::authority::catalog:43 request id: 37382 type: Query op_code: Query 2017-09-27T16:50:02.296037486+00:00 INFO trust_dns_server::authority::catalog:43 request id: 7186 type: Query op_code: Query 2017-09-27T16:50:02.296093046+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17650 type: Query op_code: Query 2017-09-27T16:50:02.296159997+00:00 INFO trust_dns_server::authority::catalog:43 request id: 56029 type: Query op_code: Query 2017-09-27T16:50:02.296237177+00:00 INFO trust_dns_server::authority::catalog:43 request id: 12650 type: Query op_code: Query 2017-09-27T16:50:02.296282191+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38987 type: Query op_code: Query 2017-09-27T16:50:02.296328112+00:00 INFO trust_dns_server::authority::catalog:43 request id: 23934 type: Query op_code: Query 2017-09-27T16:50:02.296378103+00:00 INFO trust_dns_server::authority::catalog:43 request id: 50514 type: Query op_code: Query 2017-09-27T16:50:02.296414992+00:00 INFO trust_dns_server::authority::catalog:43 request id: 35756 type: Query op_code: Query 2017-09-27T16:50:02.399859969+00:00 INFO trust_dns_server::authority::catalog:43 request id: 492 type: Query op_code: Query ``` * the zone is not signed: http://dnsviz.net/d/ikenmeyer.com/e/178694710/dnssec/ ----- second build (without "features"): ``` darkspirit@darkspirit:~$ cargo uninstall trust-dns-server darkspirit@darkspirit:~$ rm -rf ~/.cargo/git darkspirit@darkspirit:~$ cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server Updating git repository `https://github.com/bluejekyll/trust-dns` Installing trust-dns-server v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da) Updating registry `https://github.com/rust-lang/crates.io-index` Compiling openssl v0.9.19 Compiling slab v0.3.0 Compiling gcc v0.3.54 Compiling regex-syntax v0.3.9 Compiling pkg-config v0.3.9 Compiling lazy_static v0.2.8 Compiling cc v1.0.0 Compiling bitflags v0.9.1 Compiling linked-hash-map v0.4.2 Compiling untrusted v0.5.1 Compiling libc v0.2.31 Compiling rustc-serialize v0.3.24 Compiling backtrace v0.2.3 Compiling cfg-if v0.1.2 Compiling winapi v0.2.8 Compiling strsim v0.5.2 Compiling scoped-tls v0.1.0 Compiling foreign-types v0.2.0 Compiling utf8-ranges v0.1.3 Compiling winapi-build v0.1.1 Compiling log v0.3.8 Compiling rustc-demangle v0.1.5 Compiling lazycell v0.5.1 Compiling bitflags v0.7.0 Compiling data-encoding v1.2.0 Compiling num-traits v0.1.40 Compiling byteorder v1.1.0 Compiling futures v0.1.16 Compiling lru-cache v0.1.1 Compiling net2 v0.2.31 Compiling rand v0.3.16 Compiling memchr v0.1.11 Compiling time v0.1.38 Compiling iovec v0.1.0 Compiling dbghelp-sys v0.2.0 Compiling kernel32-sys v0.2.2 Compiling num-integer v0.1.35 Compiling aho-corasick v0.5.3 Compiling bytes v0.4.5 Compiling mio v0.6.10 Compiling backtrace-sys v0.1.14 Compiling openssl-sys v0.9.19 Compiling num-iter v0.1.34 Compiling libsqlite3-sys v0.6.2 Compiling num v0.1.40 Compiling tokio-io v0.1.3 Compiling thread-id v2.0.0 Compiling chrono v0.4.0 Compiling thread_local v0.2.7 Compiling toml v0.1.30 Compiling tokio-core v0.1.9 Compiling regex v0.1.80 Compiling error-chain v0.1.12 Compiling tokio-openssl v0.1.3 Compiling trust-dns v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da) Compiling docopt v0.6.86 Compiling rusqlite v0.9.5 Compiling trust-dns-server v0.12.0 (https://github.com/bluejekyll/trust-dns#a89bf1da) Finished release [optimized] target(s) in 107.85 secs Installing /home/darkspirit/.cargo/bin/named ``` renamed it to named-default and uploaded it. removed .pem and .jrnl first run: ``` root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ 2017-09-27T16:56:24.623014330+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-27T16:56:24.623217921+00:00 INFO named:482 Trust-DNS 0.12.0 starting 2017-09-27T16:56:24.623303801+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml" 2017-09-27T16:56:24.623519088+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone" 2017-09-27T16:56:24.765674755+00:00 INFO named:174 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl" 2017-09-27T16:56:24.873041341+00:00 INFO trust_dns_server::authority::authority:155 persisting zone to journal at SOA.serial: 201709264 2017-09-27T16:56:25.015738448+00:00 INFO named:187 loaded zone: ikenmeyer.com. 2017-09-27T16:56:25.016019238+00:00 INFO named:267 creating key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T16:56:25.022432348+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T16:56:25.023053402+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-27T16:56:25.037339733+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-27T16:56:25.037612321+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 } 2017-09-27T16:56:25.037698963+00:00 INFO named:606 2017-09-27T16:56:25.037794691+00:00 INFO named:607 o o o 2017-09-27T16:56:25.037887782+00:00 INFO named:608 | | | 2017-09-27T16:56:25.037969254+00:00 INFO named:609 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-27T16:56:25.038006180+00:00 INFO named:610 | | | | \ | | | | | \ 2017-09-27T16:56:25.038038892+00:00 INFO named:611 o o o--o o-o o o-o o o o-o 2017-09-27T16:56:25.038071452+00:00 INFO named:612 2017-09-27T16:56:25.038103545+00:00 INFO named:596 awaiting connections... 2017-09-27T16:56:25.038135827+00:00 INFO trust_dns_server::server::server_future:203 Server starting up 2017-09-27T16:56:39.269185776+00:00 INFO trust_dns_server::authority::catalog:43 request id: 49048 type: Query op_code: Query 2017-09-27T16:56:39.378275702+00:00 INFO trust_dns_server::authority::catalog:43 request id: 13244 type: Query op_code: Query 2017-09-27T16:56:39.517760024+00:00 INFO trust_dns_server::authority::catalog:43 request id: 48218 type: Query op_code: Query 2017-09-27T16:56:39.517999991+00:00 INFO trust_dns_server::authority::catalog:43 request id: 53684 type: Query op_code: Query 2017-09-27T16:56:39.518134110+00:00 INFO trust_dns_server::authority::catalog:43 request id: 13335 type: Query op_code: Query 2017-09-27T16:56:39.518243683+00:00 INFO trust_dns_server::authority::catalog:43 request id: 45192 type: Query op_code: Query 2017-09-27T16:56:39.518418991+00:00 INFO trust_dns_server::authority::catalog:43 request id: 7574 type: Query op_code: Query 2017-09-27T16:56:39.518522946+00:00 INFO trust_dns_server::authority::catalog:43 request id: 20714 type: Query op_code: Query 2017-09-27T16:56:39.518602053+00:00 INFO trust_dns_server::authority::catalog:43 request id: 46200 type: Query op_code: Query 2017-09-27T16:56:39.518696023+00:00 INFO trust_dns_server::authority::catalog:43 request id: 48644 type: Query op_code: Query 2017-09-27T16:56:39.518773535+00:00 INFO trust_dns_server::authority::catalog:43 request id: 59742 type: Query op_code: Query 2017-09-27T16:56:39.518860106+00:00 INFO trust_dns_server::authority::catalog:43 request id: 40438 type: Query op_code: Query 2017-09-27T16:56:39.620979647+00:00 INFO trust_dns_server::authority::catalog:43 request id: 42591 type: Query op_code: Query ``` * not signed: http://dnsviz.net/d/ikenmeyer.com/e/178694760/dnssec/ second run: ``` root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ 2017-09-27T16:57:12.701629711+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-27T16:57:12.701841378+00:00 INFO named:482 Trust-DNS 0.12.0 starting 2017-09-27T16:57:12.701923781+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml" 2017-09-27T16:57:12.702137232+00:00 INFO named:135 recovering zone from journal: "/home/trustdns/ikenmeyer.com.jrnl" 2017-09-27T16:57:12.702666515+00:00 INFO trust_dns_server::authority::authority:121 recovering from journal 2017-09-27T16:57:12.702854125+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com. 2017-09-27T16:57:12.702900009+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) } 2017-09-27T16:57:12.702995286+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com. 2017-09-27T16:57:12.703035718+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: NS, dns_class: IN, ttl: 86400, rdata: NS(Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }) } 2017-09-27T16:57:12.703119519+00:00 WARN trust_dns_server::authority::authority:256 no soa record found for zone: ikenmeyer.com. 2017-09-27T16:57:12.703159997+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: SOA, dns_class: IN, ttl: 604800, rdata: SOA(SOA { mname: Name { is_fqdn: true, labels: ["dev", "h", "terrax", "net"] }, rname: Name { is_fqdn: true, labels: ["hostmaster", "terrax", "net"] }, serial: 201709264, refresh: 28800, retry: 7200, expire: 604800, minimum: 86400 }) } 2017-09-27T16:57:12.703251744+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) } 2017-09-27T16:57:12.703377+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: A, dns_class: IN, ttl: 86400, rdata: A(127.0.0.1) } 2017-09-27T16:57:12.703481928+00:00 INFO trust_dns_server::authority::authority:737 upserting record: Record { name_labels: Name { is_fqdn: true, labels: ["www", "ikenmeyer", "com"] }, rr_type: AAAA, dns_class: IN, ttl: 86400, rdata: AAAA(::1) } 2017-09-27T16:57:12.703573317+00:00 WARN trust_dns_server::authority::authority:1130 attempt to sign_zone for dnssec, but no keys available! 2017-09-27T16:57:12.703613667+00:00 INFO named:152 recovered zone: ikenmeyer.com. 2017-09-27T16:57:12.703653511+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T16:57:12.842448864+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-27T16:57:12.852445477+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-27T16:57:12.852547073+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 } 2017-09-27T16:57:12.852604179+00:00 INFO named:606 2017-09-27T16:57:12.852673901+00:00 INFO named:607 o o o 2017-09-27T16:57:12.852741668+00:00 INFO named:608 | | | 2017-09-27T16:57:12.852792988+00:00 INFO named:609 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-27T16:57:12.852846377+00:00 INFO named:610 | | | | \ | | | | | \ 2017-09-27T16:57:12.852925792+00:00 INFO named:611 o o o--o o-o o o-o o o o-o 2017-09-27T16:57:12.852977781+00:00 INFO named:612 2017-09-27T16:57:12.853050469+00:00 INFO named:596 awaiting connections... 2017-09-27T16:57:12.853100174+00:00 INFO trust_dns_server::server::server_future:203 Server starting up 2017-09-27T16:57:35.787473728+00:00 INFO trust_dns_server::authority::catalog:43 request id: 41735 type: Query op_code: Query 2017-09-27T16:57:35.897053537+00:00 INFO trust_dns_server::authority::catalog:43 request id: 24322 type: Query op_code: Query 2017-09-27T16:57:36.037571910+00:00 INFO trust_dns_server::authority::catalog:43 request id: 24334 type: Query op_code: Query 2017-09-27T16:57:36.037816534+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38165 type: Query op_code: Query 2017-09-27T16:57:36.037983563+00:00 INFO trust_dns_server::authority::catalog:43 request id: 10319 type: Query op_code: Query 2017-09-27T16:57:36.038102475+00:00 INFO trust_dns_server::authority::catalog:43 request id: 17919 type: Query op_code: Query 2017-09-27T16:57:36.038216944+00:00 INFO trust_dns_server::authority::catalog:43 request id: 55701 type: Query op_code: Query 2017-09-27T16:57:36.038350907+00:00 INFO trust_dns_server::authority::catalog:43 request id: 29443 type: Query op_code: Query 2017-09-27T16:57:36.038428357+00:00 INFO trust_dns_server::authority::catalog:43 request id: 25854 type: Query op_code: Query 2017-09-27T16:57:36.038503900+00:00 INFO trust_dns_server::authority::catalog:43 request id: 61378 type: Query op_code: Query 2017-09-27T16:57:36.038582391+00:00 INFO trust_dns_server::authority::catalog:43 request id: 29840 type: Query op_code: Query 2017-09-27T16:57:36.038671598+00:00 INFO trust_dns_server::authority::catalog:43 request id: 42049 type: Query op_code: Query 2017-09-27T16:57:36.141408384+00:00 INFO trust_dns_server::authority::catalog:43 request id: 38640 type: Query op_code: Query ``` * not signed: http://dnsviz.net/d/ikenmeyer.com/e/178694767/dnssec/ ----- rm *.pem && rm *.jrnl changed algorithm from ECDSAP384SHA384 to RSASHA256 first run: ``` root@dev:/home/trustdns# /home/trustdns/named-default --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ 2017-09-27T16:59:56.146350629+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-27T16:59:56.146408499+00:00 INFO named:482 Trust-DNS 0.12.0 starting 2017-09-27T16:59:56.146413924+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml" 2017-09-27T16:59:56.146643756+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone" 2017-09-27T16:59:56.287893327+00:00 INFO named:174 enabling journal: "/home/trustdns/ikenmeyer.com.jrnl" 2017-09-27T16:59:56.375585868+00:00 INFO trust_dns_server::authority::authority:155 persisting zone to journal at SOA.serial: 201709264 2017-09-27T16:59:56.500420812+00:00 INFO named:187 loaded zone: ikenmeyer.com. 2017-09-27T16:59:56.500467621+00:00 INFO named:267 creating key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T16:59:56.751543536+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T16:59:56.751683744+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-27T16:59:56.764089342+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-27T16:59:56.764129605+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 5 } 2017-09-27T16:59:56.764152834+00:00 INFO named:606 2017-09-27T16:59:56.764175385+00:00 INFO named:607 o o o 2017-09-27T16:59:56.764180904+00:00 INFO named:608 | | | 2017-09-27T16:59:56.764186257+00:00 INFO named:609 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-27T16:59:56.764206153+00:00 INFO named:610 | | | | \ | | | | | \ 2017-09-27T16:59:56.764210910+00:00 INFO named:611 o o o--o o-o o o-o o o o-o 2017-09-27T16:59:56.764213979+00:00 INFO named:612 2017-09-27T16:59:56.764216697+00:00 INFO named:596 awaiting connections... 2017-09-27T16:59:56.764220573+00:00 INFO trust_dns_server::server::server_future:203 Server starting up 2017-09-27T17:00:10.520685652+00:00 INFO trust_dns_server::authority::catalog:43 request id: 36300 type: Query op_code: Query 2017-09-27T17:00:10.629146483+00:00 INFO trust_dns_server::authority::catalog:43 request id: 4914 type: Query op_code: Query 2017-09-27T17:00:10.766085656+00:00 INFO trust_dns_server::authority::catalog:43 request id: 24287 type: Query op_code: Query 2017-09-27T17:00:10.766340757+00:00 INFO trust_dns_server::authority::catalog:43 request id: 62022 type: Query op_code: Query 2017-09-27T17:00:10.766449740+00:00 INFO trust_dns_server::authority::catalog:43 request id: 8628 type: Query op_code: Query 2017-09-27T17:00:10.766563422+00:00 INFO trust_dns_server::authority::catalog:43 request id: 64678 type: Query op_code: Query 2017-09-27T17:00:10.766725961+00:00 INFO trust_dns_server::authority::catalog:43 request id: 23927 type: Query op_code: Query 2017-09-27T17:00:10.766896690+00:00 INFO trust_dns_server::authority::catalog:43 request id: 47236 type: Query op_code: Query 2017-09-27T17:00:10.766998029+00:00 INFO trust_dns_server::authority::catalog:43 request id: 56977 type: Query op_code: Query 2017-09-27T17:00:10.767117945+00:00 INFO trust_dns_server::authority::catalog:43 request id: 25194 type: Query op_code: Query 2017-09-27T17:00:10.767214270+00:00 INFO trust_dns_server::authority::catalog:43 request id: 26287 type: Query op_code: Query 2017-09-27T17:00:10.767301616+00:00 INFO trust_dns_server::authority::catalog:43 request id: 55752 type: Query op_code: Query 2017-09-27T17:00:10.869222810+00:00 INFO trust_dns_server::authority::catalog:43 request id: 32963 type: Query op_code: Query ``` * the zone **is signed**: http://dnsviz.net/d/ikenmeyer.com/e/178694785/dnssec/ ---- removed pem, jrnl changed RSASHA256 to RSASHA512 used the first build (features=tls,ring) * not signed: http://dnsviz.net/d/ikenmeyer.com/e/178694822/dnssec/
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#95
No description provided.